Security experts warn there is little Internet users can do to protect themselves from the recently uncovered “Heartbleed” bug that exposes data to hackers, at least not until vulnerable websites take steps to secure their communications.
The Heartbleed bug in widely used web encryption technology known as OpenSSL affects software on servers that host websites. That software is not used on PCs or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.
“There is nothing users can do to fix their computers. They have to rely on the administrators of the websites they use,” Mikko Hypponen, chief research officer with security software maker F-Secure, told Reuters on Wednesday.
Representatives for Facebook Inc, Google and Yahoo Inc told Reuters that they use OpenSSL and have already taken steps to mitigate any impact on users.
The bug has the potential to affect the world’s biggest websites because OpenSSL is used on about two-thirds of all web servers and has gone unnoticed for about two years. It could lead to the theft of data, including passwords, confidential communications and credit card numbers.
“On a scale of 1 to 11, it’s about an 11,” cryptologist Bruce Schneier, chief technology officer of Co3 Systems Inc. said of the bug’s severity.
Google spokeswoman Dorothy Chou told Reuters: “We fixed this bug early and Google users do not need to change their passwords.”
Ty Rogers, a spokesman for online commerce giant Amazon.com Inc, said “Amazon.com is not affected.” He declined to elaborate.
CLEANING UP THE MESS
Schneier called on Internet firms to issue new certificates and keys for encrypting Internet traffic with Web browsers such as Firefox, Microsoft Corp’s Internet Explorer and Google Inc’s Chrome, which would render any stolen keys useless.
It will be time-consuming to replace certificates and keys, update OpenSSL software and notify users of their passwords, said Barrett Lyon, chief technology officer of cybersecurity firm Defense.Net Inc. “There’s going to be lots of chaotic mess,” he said.
GoDaddy, a major provider of SSL technology, said it does not charge for re-keying its certificates. Symantec, the biggest provider of such certificates, could not immediately be reached.
Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable.
“Take care of the passwords that are very important to you,” he said. “Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely.”
(Reporting by Jim Finkle; Additional reporting by Joseph Menn; Editing by Leslie Adler and Dan Grebler)