Web operators and users are scrambling to make fixes this week after a major security vulnerability discovered Monday threatened to cause a little heartbreak on the Internet.
The vulnerability is called Heartbleed, a pretty epic name for a serious security issue centered around open source software OpenSSL. The second part of that word, SSL, stands for Secure Socket Layer, and it basically keeps other people from spying on your info while you're making secure transactions over the Web.
"You may know of SSL by some common things you see everyday in your Internet browser, like the pad lock, the browser bar turning green, the 'https' protocol or the secure site seal." (Via GlobalSign)
All of those indicate to users that everything is good to go and you don't have to worry about your personal information being compromised.
But The New York Times reports security researchers found an OpenSSL bug that allows attackers to access information through the memory of any server running SSL, which "powers encryption for two-thirds of web servers." The Times adds "Researchers are calling the bug 'Heartbleed' because it affects the 'heartbeat' portion of the OpenSSL protocol, which pings messages back and forth."
This incomplete list compiled Tuesday showed just how many sites were affected, including Yahoo, Flickr, Slate, OkCupid and several others. (Via GitHub)
And the news doesn't get any better from there: NPR reports the scope of the problem is massive because it's hard to tell which sites are affected or when they've been fixed. They add that companies will have to generate new SSL certificates which could take days or weeks.
For users, simply changing passwords might not be enough. As CNET reports, "That's a big problem as more and more of people's lives move online, with passwords recycled from one site to the next."
Even if you've covered your bases and changed passwords, the Heartbleed bug has been around for two years. That's two years of communications that could've been scooped up by attackers.
There is some good news, though. You can test your site here to see if it's vulnerable. If it is, you can upgrade to a newer version of OpenSSL which can be found at Heartbleed.com.
If your just too iffy on the proposed safety measures or your security on the web, take some advice posted on Tor and "stay away from the Internet entirely for the next few days while things settle."
