Internet is full of discussions about the latest security bug named Heartbleed. Many users describe their worries on forums, in blogs or social networks - let’s analyze what Heartbleed is and how dangerous it is.
On 8th of April security researchers announced a security bug in a popular data encryption format OpenSSL. This flaw gives the hackers a possibility to steal huge amount of data from the services that we use every day and think that our connection is secure.
This security problem seems to exist since several years and we not even knew about the potential danger. The Heartbleed is not just a simple software bug, it’s more a technical bug generated through machines that transfer information between a server and a user.
What is the Heartbleed bug about?
The majority of sites use OpenSSL as encryption system for secure data transfer. You can check the connection if it is secured or not by the URL: if it starts with HTTP:// then you are on secured channel. The main sense is encrypting of data is to make transferred information nonsense to anyone and the intended to the receiver only.
Once two computer machines - you as user and a server of a service - communicate with each they make sure that connection is established without interruptions and without any third-party that could get a look into sent information. Both communicators send each other a small data package that requires a response from the other side. This package is called as Heartbeat.
The researchers found a flaw in OpenSSL system that would make it possible to send fakes Heartbeat data package to trick the recipient. The computer would then answer with a command and provide all demanded information to the fake person. In this way hackers can get many personal details of the users and use them against them.
The first reporters of the Heartbleed were Google’s security team and security firm Codenomicon. The researchers reported that the flaw exists since about two years and it was undercover all the time.
How bad is Heartbleed?
There is only one answer to this question: it’s really bad. Web servers keep huge amount of different information like username and password for sites, credit card numbers, personal addresses and much more. Hackers became a possibility to get encryption keys and fake the secured connection between a computer and a web server. In this way it’s possible to monitor every single internet user and to steal his personal information.
Hackers get full control over the connection. They can also intercept encrypted connection and continue without SSL. In other words all customers are not safe in this situation.
Am I affected and what to do to protect myself?
The probability that you was affected directly or indirectly is very high. OpenSSL is the most popular security system to encrypt the Internet traffic: social sites, online shops, commercial sites, software sites - all they might us OpenSSL. Some researches show that about 60-70% of all sites work with SSL technology.
Please consider that if you are affected then all your personal information can be already saved in wrong hands, also if nothing happened till today. The best way to protect yourself is to change your online passwords, especially services that store your credit card and personal information. It can take time till all online services upgrade their software with newest update.
Once the bug was reported to the publicity the bug was already fixed. In other words, the problem is already solved and companies only need to update the encryption system.
What it means for Usenet?
The majority of Usenet users download files through SSL encryption to protect their privacy against sharing of data with third-parties. In most cases we speak about people who download copyright protected files and do not wish that their personal details will be shared with anti-piracy companies. Heartbleed is a flaw that can be used by hackers to steal information that can be used to make profit - I don’t think that download logs would make them rich.
What is more a problem is the payment method. All payment gateways run through SSL and if you pay for a premium account with a credit card then you are maybe affected.
This topic underlines the importance of using of anonymous payment methods like Paysafecard or Bitcoin.