‘Heartbleed’ bug could undermine public trust in web

Posted on by

The "Heartbleed" software flaw that triggered alarm bells around the world could fundamentally undermine two decades' worth of efforts to persuade consumers they could trust the Web to securely handle such tasks as buying a pair of shoes and applying for a job.

The discovery of a gaping hole in a piece of software that was supposed to protect personal information from hackers left websites rushing to fix the bug while consumers struggled to understand what kind of risks they suddenly faced by venturing online.

That angst intensified, in part, because no one knows for sure just how much damage the Heartbleed bug had caused, or how widely hackers had managed to exploit it. Security researchers fear that it could take years to repair not just the bugs but also the trust of users.

"This is very bad, and the consequences are very scary now that it has been disclosed," said Phil Lieberman, president of Los Angeles security management firm Lieberman Software. "The fact that this code is on home and commercial Internet-connected devices on a global scale means that the Internet is a different place today."

Heartbleed is a flaw that was found in OpenSSL, a technology that provides encryption for about two-thirds of all servers on the public Internet. For most people, the technology shows up as a tiny green padlock icon next to the address field in a Web browser. It is supposed to signify that the password or credit card information typed on the website is secure.

But the bug essentially enables any hacker with the most basic of skills to use a simple piece of software to gain access to the IDs and passwords of a site's users in just a few minutes. Word of the flaw burst into widespread public view Tuesday when Tumblr, which is owned by Yahoo Inc., disclosed that it had been affected and urged users to change their passwords.

In fact, the flaw was discovered several weeks ago by Neel Mehta, a security researcher at Google Inc., and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.

According to a person familiar with the details, Google immediately patched its own site and began notifying partners and the open-source community about the problem. In the meantime, two Google developers, Adam Langley and Bodo Moeller, helped develop a fix that was released Monday.

It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running. The security hole may have existed for at least two years, security experts said.

In addition to updating OpenSSL, websites will need to revise many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.

Here is the original post:
'Heartbleed' bug could undermine public trust in web

Related Posts
This entry was posted in $1$s. Bookmark the permalink.