The Heartbleed Bug: A Review

April 29, 2014

By Web Programmer Brandon Edmark

Some reports called it the greatest security danger since commercial traffic started flowing through the World Wide Web. Thanks to the vast danger it suggested, along with the colorful name it was given, it swept international news in record speed. You may have been prompted to change your password on many popular websites because of it. However, many are still unclear as to the nature of the Heartbleed bug.

What is it? Some early news reports erroneously suggested it was a virus that spreads from computer to computer. Actually, the Heartbleed bug is a mistake in the software library called OpenSSL. You may not have heard of this set of code, but it powers the security features for websites including Tumblr, Yahoo, Dropbox, Imgur, OKCupid, and many more. OpenSSL is also utilized within Apache and Nginx, the two most popular general-purpose webserver applications available. Together, these two pieces of software are estimated to serve about two-thirds of all websites.

When OpenSSL functions properly, it encrypts the sensitive data you send to websites, such as your credit card information or your account passwords. With the Heartbleed bug, hackers can request that a server send a large excerpt of private data directly to them. This data can contain exactly the information you wish to keep private. The data can also be repurposed to direct users to fake duplicates of legitimate websites that can steal even more information.

The bug became public knowledge on April 8th, as security companies like Codenomicon spread the word about the danger to major news sources. Within the next few days, responsible web companies – including Image Management – had updated their version of OpenSSL to resolve the issue.

The Heartbleed logo designed by Codenomicon

By now, the danger should largely be over. Because the bug was a problem with server software, and not with consumer software, there is little that the average web user needs to do. The best course of action is to change one’s account passwords on public websites. This will ensure that any account data that might have been leaked during the vulnerability period can no longer be used by hackers to access accounts.

That said, it is important to keep on the watch for news of further security problems. The Internet is composed of a vast decentralized conglomerate of code, and there are bound to be security vulnerabilities waiting to be exploited. Responsible web users and web developers must take care to ensure that the Internet remains as safe as possible.