Canada Markets closed

Heartbleed web security bug: What you need to know

Bloomberg: NSA used Heartbleed exploit for 'years' without alerting affected websites, the public (update: NSA response)

Your passwords and financial information may have been exposed by a security bug in code used by two-thirds of "secure" websites on the internet, including the Canada Revenue Agency and Yahoo. Here's what you need to know.

Heartbleed is a security bug or programming error in popular versions of OpenSSL, software code that encrypts and protects the privacy of your password, banking information and other sensitive data you type into a "secure" website such as Canada Revenue Agency or Yahoo Mail. Such websites can be identified by the little "lock" icon on your browser.

Heartbleed is not a virus or malware, but could be exploited by malware and cybercriminals.

The vulnerability allows "anyone on the internet" to read the memory of the system protected by the bug-affected code. That way, they can get the keys needed to decode and read the data, according security researchers at the Finnish firm Codenomicon who discovered it.

The bug, named for the "heartbeat" part of the code that it affects, was independently discovered recently by Codenomicon and Google Security researcher Neel Mehta. The official name for the vulnerability is CVE-2014-0160.

The researchers have set up a website with more detailed information.

User names, passwords, instant messages, emails, business documents and business communications were all accessible during tests by the researchers.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users," they wrote on an website with information about the bug.

Some websites using the code are the Canada Revenue Agency site, which was partially shut down Wednesday to deal with the security hole, just weeks before the Canadian tax deadline; and Yahoo services, including email, the Flickr photo site and the Tumblr blogging site. The company said most of its services had been secured by Tuesday afternoon.

According to Codenomicon, OpenSSL is the most popular open-source code used for encryption on the internet. The versions with the bug are used by more than two-thirds of active websites on the internet, as well as email and chat servers, virtual private networks and some hardware devices such as routers or storage servers. The code has been in use for more than two years.

However, many "large consumer sites" aren't affected because of their "conservative" choice of equipment and software.

"Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most," Codenomicon says.

Since a Google researcher co-discovered the bug, Google patched all its services before the vulnerability was widely publicized and the company says it has no evidence that the bug was exploited previously.

Late Wednesday, the Canadian Bankers' Association said there is no need for online banking customers to worry about their private information being stolen.

We don't know. Tests showed that eavesdropping via the bug left no trace.

To make matters worse, the bug-affected code has been used by internet services for more than two years.

"I don't think anyone that had been using this technology is in a position to definitively say they weren't compromised," David Chartier, CEO of Codenomicon, told The Associated Press.

Yes, but not by you.

A fixed version of OpenSSL was released on Monday, April 7. Websites and other services can be secured by using it or by disabling the affected part of the code. Then it needs to be incorporated into their software and the fixed software needs to be installed. That isn't always easy, especially for certain kinds of devices.

Ari Takanen, chief technology officer for Codenomicon, advises you to wait for an official statement from the internet services you use (indicating that they have fixed the bug) and follow their guidelines.

Typically, that will involve things like changing your password. That is something you may have to do across many —services you use.

However, steps like that are useless until the security hole has been fixed for the affected services.

"Changing before the service is patched could expose the new password," said a spokesperson for Google, who also noted that passwords do not need to be changed for Google services because of its early implementation of a bug fix. 

In the meantime, a number of sites have have been set up where you can check if the web services you're using are vulnerable, including this one, set up by Italian security researcher FilippoValsorda.

You might want to stay away from sites identified as "vulnerable" for now.

Security experts also recommend as a general rule that you use strong passwords that are different for different internet services and that you change them regularly.