(Mark Huffman @ ConsumerAffairs) Heartbleed, of course, is the latest security flaw to put consumers' personal information at risk, and from the news accounts you've read, you probably get the idea it's serious business.It all stems from a small mistake in updated code for Open SSL, the encryption system web services like Facebook, Amazon, Google – you name it – use to protect sensitive data.
Back in late 2012 or early 2013 one of the coders working on Open SSL made a mistake. It involved the communication between a user's computer and the server using Open SSL.
The two computers talk to one another from time to time to make sure they are still connected. The user's computer gives a couple of letters of a word – “potato,” for instance – and asks the server to send it back, specifying that the word is six characters long.
Critical step left out
But the person writing the code did not put in the part of the code specifying the number of characters in the word it was looking for. Adam Allred, research technologist at the Georgia Tech Information Security Center (GTISC), says that small oversight resulted in a huge security breach.
“Someone could then say 'send me back the word potato, but it's 500 characters long.' So the server, being none the wiser, sends back the word potato in the first six characters and then sends the next 494 characters, whatever they happen to be, after the word potato,” Allred told ConsumerAffairs.
This information is almost always encrypted as it moves over the network, but then de-encrypted and set down in the server's memory, right next to the word potato. In most cases those characters make up things like user names and passwords.
The flaw went unnoticed for months. Then, a highly skilled computer technician figured it out.
“At this point, a week later, the skill level needed to exploit the Heartbleed vulnerability is much lower,” Allred said.
One in five chance
As it turns out only about 17% of Internet servers use the flawed version of Open SSL, so as a consumer you have a one in five chance that the password-protected web servers you visit are affected. Still, Allred says consumers have a right to be concerned.
“As a consumer you have to think about every website you go to that uses 'https,'” he said. “For every one of those websites you have to ask, were they vulnerable and if they were, you need to change your password for those sites. But you have to do it after those sites patch.”
That bears repeating. Don't change your password for that site until it has been patched.
How do you know which sites were affected and which ones have been patched? Fortunately, that information is readily available online. Mashable, for example, maintains this list of updated sites.
Lessons
Are there any lessons to be learned from the Heartbleed security flaw? Allred sees one big one.
“What I would like to see happen is a new awareness that an extremely important set of code that so many people in the world rely on and don't even know it, is being developed by very few people with very little money,” Allred said. “Many of the people writing code are volunteers. The Open SSL Project has one full-time employee.”
That's right. This critically important part of the Internet infrastructure is basically a volunteer operation.
Allred suggests Google, Facebook and other web giants have a vested interested in making the system more secure, and should start investing money into Open SSL, to provide the people and infrastructure to build better software.