- Here’s what’s coming and going on Hulu in July 2019 5 Years Ago
- This biotech company’s logo is almost straight out of Resident Evil Today 1:26 PM
- Trump says mass deportations to start next week Today 12:28 PM
- GOP pollster bothered by broken elevator in Austria blames socialism Today 10:50 AM
- YouTuber renames small town ‘Gay Hell’ to defy Trump Pride policy Today 10:43 AM
- John Cusack blames Twitter bot for anti-Semitic tweet Today 10:18 AM
- YouTube rapper who glorifies pimping has been charged with human trafficking Today 10:09 AM
- Amy Klobuchar lists net neutrality as part of her 100-day plan for presidency Today 8:54 AM
- Reddit just banned the NBA Streams subreddit Today 8:17 AM
- How to watch ‘Drunk History’ for free Today 8:00 AM
- Netflix’s ‘Unit 42’ soars on the chemistry of its unlikely lead partners Today 7:30 AM
- How to watch ‘Good Trouble’ for free Today 7:00 AM
- It’s time for Pete Buttigieg to claim his status as Short King Today 6:30 AM
- The best foreign-language TV shows on Netflix Today 6:00 AM
- Hasan Minhaj explains why your internet sucks in ‘Patriot Act’ episode, puts it on DVD Monday 8:41 PM
Just like diamonds, Heartbleed is forever.
From the instant news of the Heartbleed bug hit the Internet earlier this month, system administrators scrambled to fix a hole in their security that could have allowed hackers to access their encrypted information for years. While most major websites patched their systems almost immediately, there’s a good chance many smaller sites may never take similar measures.
In other words, the vulnerabilities created by Heartbleed may plague the Internet for years to come. Maybe forever.
Independently identified by researchers at Google and online security firm Codenomicon only a few days apart, Heartbleed is a bug contained in approximately 10 lines of poorly written code in the open-source encryption tool OpenSLL. The bug, which was introduced in a 2012 update to OpenSLL, allows attackers to grab encrypted information as it passes between a website and its users. If employed repeatedly, someone could utilize Heartbleed to learn the entire private encryption a website uses to keep its information safe. In that case, not only could a hacker gain access to every single piece of information sent to a site, but he or she could create fake versions of the site designed to steal users’ passwords or credit card numbers.
The worst part of it is that attacks that exploit Heartbleed are essentially undetectable, meaning there’s no way to tell if a website has been compromised.
As a result, it’s little surprise that a litany of sites moved as fast as they could to update their versions of OpenSSL to one patched with a fix. However, since up to two-thirds of the websites on the Internet use OpenSSL and were potentially vulnerable, it’s virtually guaranteed that some some smaller sites (operations without 24/7 security teams of companies like Google or Facebook) may take far longer to update their security—if they even do so at all.
“There are a lot of servers out there, so it’s guaranteed that some went unpatched,” Andrew Sudbury, chief technical officer of Boston-based online privacy company Abine, tells the Daily Dot.
Sudbury notes that the process for inoculating a site against Heartbleed isn’t particularly difficult—it’s just a matter of upgrading the software package, restarting everything, and then switching out potentially compromised private encryption keys for new ones. “It’s not that hard to do,” he said, ?but it can take some time.”
He added that there’s a long history of hackers taking advantage of bug long after they’ve been made public and patches have been released.
In a study of the attacks conducted using a so-called Phf exploit to access supposedly secure Web servers during the mid-1990s, the number of attacks per month increased for a year after the bug was first identified and patched. In fact, system administrators were still reporting a high volume of incidents two years after problem was reportedly fixed.
Additionally, Sudbury notes, the speed at which scripted attacks occur after a bug is first revealed has increased in recent years. Now that news of Heartbleed has been made public, it’s possible that attackers have set up automated programs to systemically try website after website for their vulnerability to Heartbleed. If there are any sites where Heartbleed can be used to gain access, there’s a good chance that some hacker will eventually find his or her way in.
Even if someone’s data is only compromised on a single site, and that site doesn’t contain particulalry sensitive data like a credit card or Social Security number, that single weak link could end up doing serious damage—especially if someone employs a single password for everything. Armed with just one password and email address, it’s often possible for a dedicated attacker to gain access to a whole litany of different accounts.
Ironically, sites that have been extremely lax about patching their security tools are actually protected from Heartbleed. Since the bug was introduced in March of 2012, any site that hasn’t updated their software since then is technically safe.
While a successful Heartbleed attack is undetectable, that doesn’t mean there’s nothing users can do to protect themselves. There’s a website where people check if a site they’re using has patched itself against Heartbleed. There are also browser extensions for Firefox and Chrome that check a site’s protection against Heartbleed automatically.
Other ways for people to keep themselves safe against Heartbleed is to enable two-factor authentication whenever possible and to update all of their passwords, ensuring that those passwords are never reused and are as strong as possible.
Illustration by Fernando Alfonso III
Aaron Sankin is a former Senior Staff Writer at the Daily Dot who covered the intersection of politics, technology, online privacy, Twitter bots, and the role of dank memes in popular culture. He lives in Seattle, Washington. He joined the Center for Investigative Reporting in 2016.