With a name like Heartbleed, it's no surprise it's bad. A vulnerability in OpenSSL — the Internet's most commonly used cryptographic library — has been bleeding out information, 64 kilobytes at a time, since March 2012.
"I would classify it as possibly the top bug that has hit the Internet that I've encountered, because of it being so widespread, because it's so hard to detect," says Andy Grant, a security analyst at iSEC Partners.
Are you affected? Well, users may not even realize they are using OpenSSL. But if you've ever noticed that websites you access show an "https" address, and a lock appears next to the address, you're on OpenSSL.
OpenSSL encrypts your data, including passwords and personal information, when it travels to a server. That means you may enter a password into your online banking site, but as the information for your transaction travels to your bank, it's jumbled up and made indecipherable — encrypted — as it's traveling through the Internet. This is supposed to keep hackers from eavesdropping.
Just before the bug was publicly disclosed, the people who maintain OpenSSL had fixed the vulnerability. But it's up to Internet companies to enter fixes for their own software — "swapping out" the cyberlocks that protected their data.
"You're probably protected from this point going forward," NPR's news applications developer Jeremy Bowers told member station WUNC on Wednesday. "The part that is dangerous is the [open vulnerability of the] previous two years and the possibility that at any point since 2012 that your [logins] for various places were compromised."
While individual users can't patch the holes, keep in mind some general Internet hygiene that we should be doing anyway.
Copyright 2020 NPR. To see more, visit https://www.npr.org.