The Wall Street Journal April 11,2014

5 QUESTIONS

       ABOUT ‘HEARTBLEED’

Website operators are racing to fix a problem found in certain versions of a widely used encryption tool. Here are answers to five questions about the bug, which security researchers have nicknamed “Heartbleed.”

1WHAT IS HEARTBLEED?

Heartbleed is a security flaw in certain versions of an encryption tool called OpenSSL that was being used by about two-thirds of Internet servers when the bug was disclosed Monday.

Researchers at Google and Codenomicon, a cybersecurity company, nicknamed it Heartbleed — having to do with the bleeding of sensitive data from servers.

The bug allows hackers to scoop out protected data from servers that are hosting websites. Read more about that here. Bruce Schneier, who writes about security, called the bug “catastrophic.”

“On the scale of 1 to 10, this is an 11,” he wrote on his website.

2WHO IS AFFECTED BY THIS BUG?

It’s still unclear. Yahoo Mail, Amazon Web Services, OKCupid and many other websites and services were vulnerable when the bug was announced. Some researchers said they were able to collect user names and passwords from Yahoo to show how the bug works. Those companies since have taken steps to fix the problem.

Canada’s tax-collection authority Wednesday decided to temporarily shut down its online tax-filing service out of precaution.

3HOW DID THIS HAPPEN?

Website operators increasingly employ encryption to mask sensitive data that people send from their computers to Web servers.

This encryption, for example, can stop a hacker lurking at your local coffee shop from grabbing your bank password as that data travels to a wireless router. This type of encryption is called secure sockets layer (SSL) or transport layer security (TLS). The website you are visiting uses this kind of encryption if you see a little image of padlock next to the address bar. That’s good.

Heartbleed affects versions of that encryption offered by OpenSSL, an open-source project that gives people access to encryption. Most websites use it — it’s free. In this case, website servers were holding on to bits of once-protected personal information. That allows a hacker to go in and scoop out the data to reconstruct usernames, passwords and keys to monitor all of a Web server’s traffic going forward. That’s bad.

4WHAT IS BEING DONE ABOUT IT?

On Monday, OpenSSL released a new version without the bug. Website operators have to install the new version and reset their systems. Big tech companies are urging people to reset their passwords.

5WHAT CAN I DO?

If a service you use was affected by Heartbleed, wait until the company makes the update before changing your password. Not sure if the service is affected? Type in the address in this tool set up by Qualys, a cybersecurity company.

If the service wasn’t affected, consider changing your password anyway. Now is a good time to ensure you are using a robust password with numbers, letters ans symbols — and turn on two-factor authentication wherever possible.