This is about the heartbleed bug, isn’t it?

Yes, it is.

Which doesn’t leave me any wiser!

The story begins with OpenSSL, an extremely popular piece of open source software that many servers use to secure Internet data traffic. A programmer who updated OpenSSL in April 2012 introduced a mistake that allows outsiders to extract supposedly encrypted information from a server’s memory. The bug is Heartbleed.

So, should I change my passwords?

You should. Ideally, you should change passwords at least every six months. Not that it will guard you from Heartbleed, but still.

Oh. We’re doomed then?

While we now know how this came about, experts still disagree on how wide the implications can be or how long it will take to fix the problem.

New possibilities are being revealed every day. What’s really worrying is that the usual security checks we’re trained to watch out for — the padlock on your url bar, the ‘s’ for security after http or the security certificate alerts that your computer informs you of with suspicious websites — are either futile or can be manipulated.

What about those Web tools that scan infected websites?

Turns out, you can’t trust those services either. A majority of these detection tools, a UK-based security firm found out, fail to detect if a website is actually compromised.

That’s bleak.

It gets worse. The makers of Tor, the free software that uses catacomb-like networks to provide maximum online anonymity, posts on their blog that users stay away from the Web till the dust on heartbleed settles down.

But all we need to do is shut the door, right?

The new heartbleed-proof OpenSSL has been released so servers can rprotect themselves. But you will not be truly safe online till every single online service has run this update. It’s also difficult to ascertain how vast the problem is, because lots of people, from small online stores to large corporates, use open source software.

What kind of information does this compromise?

For individuals, hackers can take the usual from you — login ids, passwords, credit card numbers. Some say NSA snooping is likely, charges the snooping agency has denied. Service providers (Web sites and their servers) need to install the fix (called a ‘patch’) and then get new security certificates. Besides, all the work that goes into securing the Web is expected the slow down online speeds.

So a lot of data must have been lost in the two years since the bug was introduced?

The bug was discovered only in March and its existence announced only last week. It’s not clear if anybody knew about this flaw before this. The first confirmations of breaches because of heartbleed came two days ago, from a UK parenting website and Canada’s tax department.

There’s not much I can do then?

Heartbleed is turning out to be the biggest Internet security scare yet. If a website where you are registered informs you that it’s patched against Heartbleed, only then change your password. Set up two-step verification where you can, like on Gmail. And hope people leave your bank account alone.

A weekly column that helps you ask the right questions

comment COMMENT NOW