What is Heartbleed?
It's a flaw in a widely used security technology known as OpenSSL. Sites using SSL commonly begin with HTTPS and feature a padlock icon to let users know information is being encrypted. Data potentially exposed by the programming flaw includes usernames, passwords, photos and credit card details. According to Mark Nunnikhoven, vice-president of Cloud and Emerging Technologies at security firm Trend Micro, OpenSSL is the most commonly used security protocol and is in place on roughly two-thirds of secure websites.
The Good, the Bad and the Ugly:
Nunnikhoven says not all sites using OpenSSL are vulnerable to Heartbleed, since only certain versions of the code are impacted. Security and analysis firm Netcraft estimates only 17.5 per cent of sites are currently exposed to the bug. Still, that amounts to at least half a million security certificates issued by some of the web's heaviest hitters. These include Twitter, Yahoo, Tumblr, Dropbox and some international banks. Worst of all is that the bug, although only just recently discovered and made public, has been in existence for at least two years.
"When everybody hears about it, you can kind of assume that the really bad guys probably already know about it and have known about it for a little while," said Nunnikhoven.
Nunnikhoven says there's no foolproof way to know whether your information has been exposed, adding the onus falls on individual companies to disclose whether or not their data has been compromised. Some, like Yahoo, have been transparent about the fact that their information was vulnerable and have outlined the steps they're taking to plug the security hole. Others have been mum on what impact Heartbleed may have on their users. Nunnikhoven urges web users to check in with websites regularly for updates on Heartbleed exposures and fixes. He says patches are widely available and should be implemented in the next few days.
How to protect yourself?
Nunnikhoven says the best course of action is to change your passwords, but only once sites have clearly indicated that they're not at risk from Heartbleed. He says such indications could come from email communications or statements clearly posted on company websites.
"As a user I would look for that type of information, and if it's not there I would either decide, 'I don't want to use this service today, I'll wait till they put it there," or decide it's worth the risk. Most of the time, it's not."
The Canadian story:
One piece of good news is that Canadian banks appear to have dodged the bullet. A statement from the Canadian Bankers Association says "The online banking applications of Canadian banks have not been affected by the Heartbleed bug." The Canada Revenue Agency has temporarily shut down its website as a precautionary measure, though Nunnikhoven says there's no indication that data has actually been compromised.