Skip to main content

How worried should you really be about the Heartbleed bug?

Heartbleed, a bug within OpenSSL, is making headlines this week, and while it might seem like a rather technical issue, it has some real-world ramifications that could impact the online services you use every day. Even worse, there's really no way to tell what malicious activity has occurred thanks to Heartbleed.

Heartbleed is a vulnerability in the open source encryption standard OpenSSL. It's so named because it affects heartbeat, which is a way to ensure that there is communication between each end of a connection. Heartbleed mimics a heartbeat, allowing it to intercept data.

No matter how secure you think your information is, it's not. The same goes for passwords, even if they're 16 characters long and filled with a nonsensical mix of symbols and numbers. Malware analyst Mark Loman demonstrated that some Yahoo Mail passwords are easily viewed in plain text as a result of Heartbleed.

If you're a security expert, then you're already on the case. But if you're just a regular Internet user like the rest of us, you undoubtedly have a few questions, which we'll answer here.

What sort of applications does Heartbleed affect? Web, email, instant messaging, and virtual private networks. So pretty much everything you use online on a regular basis.

How many servers are vulnerable because of Heartbleed? Experts estimate that about two-thirds of the world's servers are affected.

Who discovered Heartbleed? Researchers from security testing and software company Codenomicon and Google.

How long has this been going on? The vulnerability was in the OpenSSL code released in March 2012.

Should I be concerned? Yes. Information you believed to be secure might not be, and it's possible that it might have been obtained by scammers.

How can I tell if I've been affected? Because your information stretches across such a vast array of sites and applications, there's really no way to tell. The vulnerability means servers cannot detect the difference between real use and an attack. If you want to know what specific sites have the Heartbleed bug, LastPass has a tool where you can type in specific URLs and see if they are on the list. There's also a list on Github which details the sites that are reportedly affected by Heartbleed.

What can I do? There's not much you can do except to change your passwords, but unless the affected sites have rolled out the available fix, that might not do the trick. The best you can do is hope that affected sites install the fix, while monitoring your accounts for unusual activity. Frequently changing your passwords is a good idea no matter what.

For more, check out our guide to making up very strong passwords, and our closer look at the best password managers.