The internet is about to do the mother of all password resets, involving almost every server online, and probably every user. Because Heartbleed is causing nightmares like the millennium bug, which was expected to plunge cities into darkness, cause train wrecks, gut bank accounts and maybe trigger missile launches at midnight on New Year’s Eve, 1999. Would the bug really do all that? Maybe not, but it was imprudent to wait and find out, and the IT industry went into overdrive to patch the world’s computers.
The Heartbleed bug can’t wreak general havoc, but it’s up close and personal. It won’t crash air traffic control systems, but it can enable hackers to steal credentials for email, banking, commercial activities, subscriptions, social media, corporate VPNs, just about everything of value. Has anything actually been stolen? No one is sure yet, but expect advisories from major internet firms to change passwords for sensitive services.
Heartbleed affects the Heartbeat feature of the OpenSSL library, which is used to encrypt about two-thirds of the secure traffic on the internet. Without leaving a trace, the bug allows hackers to force affected servers to dump data from system memory, 64 kb at a time. If a dump contains the server’s encryption keys, the doors to all of its encrypted traffic are opened. Servers are being patched the world over, so the future is secure. But security agencies and hacker groups have acquired the nasty habit of squirreling away internet traffic in terabytes, in case it comes in handy later. Keys stolen now can decrypt traffic all the way back to 2012, when the faulty version of OpenSSL was released.
Besides, the encryption technology is not restricted to servers. It is ubiquitous. It’s even embedded in home routers, which no one is going to patch, and which can still be coaxed into revealing your secrets.