Security holes are par for the course on the web today, but a new, massive bug dubbed "Heartbleed” is particularly nasty, and widespread: Experts say that two-thirds of websites and probably everyone that’s used the internet in the last two years could be affected.
The irony is, those who have put the most effort into privacy and security are the most vulnerable.
The bug exposes the popular cryptographic software, OpenSSL, a mainstay web encryption. Heartbleed makes it possible for anyone to eavesdrop on encrypted sites and access the sensitive data they’re supposed to be protecting, all without leaving any trace on the site’s server. Even worse, attackers can also retrieve cryptographic keys and passwords and use that info to decrypt any past or future web traffic.
The bug was introduced in the 1.01 version of OpenSSL in 2012, which means for two years attackers exploiting the bug could have exposed VPNs and anonymity services, revealing users’ emails, instant messages, and browsing activity. And there's no way to know who was comprimised.
The sites and web users most at risk are the ones who took precautions to hide their tracks. The lion's share of websites that use the HTTPS secure communications protocol run OpenSSL, as do many sites specifically designed to hide users' identity, including the Tor onion network.
The Tor Project wrote in a blog post yesterday that its clients, relays, and hidden services were all vulnerable to the Heartbleed bug. Ostensibly, anyone that had been using Tor—be it to buy drugs on the black market or protect themselves from oppressive governments or anything in between—may have had their activity monitored and encryption keys stolen.
"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle," the Tor Project wrote.
The bug's reach goes far beyond the clandestine corners of the web. A recent survey from the internet security firm Netcraft showed that 66 percent of websites run on the open source web servers Apache and Nginx, which use OpenSSL by default. So do many other operating systems and applications, like Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux, Ars Technica reported.
The researchers that discovered Heartbleed, from Google and the security firm Codenomicon, wrote yesterday that large consumer sites are often using older, uncompromised versions of OpenSSL, and so "ironically, smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most."
A couple tools and tip sheets are now floating around that let you test to see which websites are vulnerable to Heartbleed (the technical name is CVE-2014-0160). Of the Silicon Valley web giants, it showed Google, Microsoft, Twitter, Facebook, Dropbox were safe, but Yahoo was vulnerable—though it's worth noting there’s no knowing for sure how accurate that data is.
Image: Filipio.io Heartbleed test
"Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously" researchers wrote.
A reportedly fixed version of OpenSSL was released yesterday and security experts recommended all sites using the software upgrade to the new version. To be super safe, they also suggest changing any passwords and crypto keys used over the last two years and updating your security certificate. Or, if you’re really worried, you can take the Tor Project’s advice and get off the web altogether for a while. It might be a good time to pick up that novel you’ve been meaning to finish.