Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

David Talbot

A View from David Talbot

What Should You Do About Heartbleed? Excellent Question.

An Internet bug had massive potential security implications. But good luck getting information on whether any actual damage was done.

  • April 9, 2014

A long-lasting bug called Heartbleed has undermined basic security across the Internet. In theory, it exposed encryption keys, users’ names, and passwords, and data for two-thirds of the world’s websites. This is because of a newly discovered flaw in software called OpenSSL, which is supposed to allow for encrypted data exchange (see “The Under-Funded Project Keeping the Web Secure”).

So what does it mean for you? Ordinary Web users really have no way of finding out how relatively safe or unsafe the websites they use are, or to know what, if anything, to do at this point. Yes, you can visit this site to see if a website you use is still unpatched now (if so, don’t change your password yet).  Or this one to see if it was vulnerable during a scan done Tuesday. If it had a problem and was fixed, you should change your password.

But was a website vulnerable at some earlier point, but then quietly fixed? There’s no easy way to answer that. Did anyone actually walk through open front doors and take anything? Nobody knows. Were some websites safer than others all along, or quicker in fixing the error? Also a black box. Are websites being forthcoming about their own interactions, if any, with Heartbleed?  This morning I looked at a few banking and other websites and found no reference to this, either way. Bottom line: the Internet can be a very challenging place, from the consumer-rights point of view.

As to whether actual damage occured, the worst fears may be unfounded. I emailed Stephen Farrell, a cryptologist at Trinity College, Dublin. He is trying to make the Internet more secure through wider encryption of basic transactions, something he’s doing as part of the Internet Engineering Task Force, the band of engineers who write Internet code. “Don’t panic,” he replied. “People who administer servers should be, or have finished, patching. I think all mine are done.” And ordinary people “should be, as always, using up to date browsers.”

But how bad is this? Were encryption keys stolen and damage done? “I’ve not yet come to a conclusion as to whether or not this justifies revoking and re-generating keys. While in principle the exploit could have extracted keys from servers, I have not so far seen details of whether specific platforms are more or less likely to leak quite so badly … I’ve not seen details yet that’d help me decide if I need to regenerate the keys for my servers so I’ve not done that so far.” He suggested that some larger websites “probably will regenerate keys and get new certificates but that should be invisible to end users.”  His initial assessment on damage done is that “it’s very hard to know just yet.”

Millions of websites allow all sorts of information to be free, but their own operations and level of security can be scarily opaque.

Cut off? Read unlimited articles today.

Become an Insider
Already an Insider? Log in.

Uh oh–you've read all of your free articles for this month.

Insider Premium
$179.95/yr US PRICE

More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Premium {! insider.prices.premium !}*

    {! insider.display.menuOptionsLabel !}

    Our award winning magazine, unlimited access to our story archive, special discounts to MIT Technology Review Events, and exclusive content.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

    First Look: exclusive early access to important stories, before they’re available to anyone else

    Insider Conversations: listen in on in-depth calls between our editors and today’s thought leaders

  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus ad-free web experience, select discounts to partner offerings and MIT Technology Review events

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special discounts to select partner offerings

    Discount to MIT Technology Review events

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning magazine and daily delivery of The Download, our newsletter of what’s important in technology and innovation.

    See details+

    What's Included

    Bimonthly magazine delivery and unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/
You've read all of your free articles this month. This is your last free article this month. You've read of free articles this month. or  for unlimited online access.