Okay okay I just can’t not post about this.
Anyone with the smallest interest in web development will have heard of the Heartbleed bug by now. If that’s not you, no doubt you’ve seen a couple password reset and security warning emails fly by from services you’re registered at. Allow me to explain why.
You know how some website URLs have (or put) “https” in front of them, instead of “http”? In layman’s terms, this means you are connected to the website using a secure connection, so any data you send (login information, credit card info, etc.) is encrypted, hidden from any eyes that may be spying on you. Recently, a vulnerability was discovered in OpenSSL (the software used for the aforementioned information hiding) which allows bad guys with the right know-how to peek at the information they normally wouldn’t be able to see. Yes, this includes everything from email messages to passwords to payment data. And seeing as how OpenSSL is used on well over 66% of the internet, I think you’ll have no trouble seeing how this is a big deal.
So, what the fuck, right? How could this happen? From what I’ve gathered, it’s sloppy coding for the most part. And the root of the issue seems to be a small performance enhancement they made for older systems… ten years ago. They have kept that enhancement turned on since, never tested without it, and now everything’s going to shambles because of it. It’s essentially making sure it’s exploitable, which is why some people have started up the conspiracy cauldrons about the NSA using this sloppy code as a mask for their “let us eavesdrop easily” schemes. And I wouldn’t call it that crazy a theory.
So, what does this mean for you? Well, for all you know your precious passwords and such have fallen into the wrong hands. Nobody can really say for sure what has been leaked, which is why you’ll see lots of sites urging you to change your password. A lot of big players have already updated their software with a freshly secured version so they are no longer vulnerable, but for now I would be careful when it comes to trusting “https” for keeping your data secure.
(Update: xkcd did a nice explanation on how the bug actually works, here.)
Man, sometimes I wish I didn’t know so much about this stuff so I wouldn’t be so terribly bothered by all this. But I’ll be damned if this isn’t a large-scale, frightening issues.