Facts about the Heartbleed computer bug

By: The Canadian Press

 | Apr 10, 2014 - 10:56 AM |
The Heartbleed computer bug is a flaw in a widely used security technology known as OpenSSL. File photo.

The Heartbleed computer bug is a flaw in a widely used security technology known as OpenSSL. File photo.

Are you curious if the Heartbleed bug has compromised your favourite websites, online banking or email accounts?

SSL Labs has made a website available where you can enter the address of the site you want to check, and SSL will let you know if it’s been compromised.

Visit the SSL site here.

To learn more about the Heartbleed bug, read on.

The Heartbleed computer bug has implications well beyond information technology circles. But how serious is the risk? Who and what is affected? Here are five key things to know about Heartbleed:

What is Heartbleed?

It's a flaw in a widely used security technology known as OpenSSL. Sites using SSL commonly begin with HTTPS and feature a padlock icon to let users know information is being encrypted. Data potentially exposed by the programming flaw includes usernames, passwords, photos and credit card details. According to Mark Nunnikhoven, vice-president of Cloud and Emerging Technologies at security firm Trend Micro, OpenSSL is the most commonly used security protocol and is in place on roughly two-thirds of secure websites.

The Good, the Bad and the Ugly:

Nunnikhoven says not all sites using OpenSSL are vulnerable to Heartbleed, since only certain versions of the code are impacted. Security and analysis firm Netcraft estimates only 17.5 per cent of sites are currently exposed to the bug. Still, that amounts to at least half a million security certificates issued by some of the web's heaviest hitters. These include Twitter, Yahoo, Tumblr, Dropbox and some international banks. Worst of all is that the bug, although only just recently discovered and made public, has been in existence for at least two years.

"When everybody hears about it, you can kind of assume that the really bad guys probably already know about it and have known about it for a little while," said Nunnikhoven.

Who's affected?

Nunnikhoven says there's no foolproof way to know whether your information has been exposed, adding the onus falls on individual companies to disclose whether or not their data has been compromised. Some, like Yahoo, have been transparent about the fact that their information was vulnerable and have outlined the steps they're taking to plug the security hole. Others have been mum on what impact Heartbleed may have on their users. Nunnikhoven urges web users to check in with websites regularly for updates on Heartbleed exposures and fixes. He says patches are widely available and should be implemented in the next few days.

How to protect yourself?

Nunnikhoven says the best course of action is to change your passwords, but only once sites have clearly indicated that they're not at risk from Heartbleed. He says such indications could come from email communications or statements clearly posted on company websites.

"As a user I would look for that type of information, and if it's not there I would either decide, 'I don't want to use this service today, I'll wait till they put it there," or decide it's worth the risk. Most of the time, it's not."

The Canadian story:

One piece of good news is that Canadian banks appear to have dodged the bullet. A statement from the Canadian Bankers Association says "The online banking applications of Canadian banks have not been affected by the Heartbleed bug." The Canada Revenue Agency has temporarily shut down its website as a precautionary measure, though Nunnikhoven says there's no indication that data has actually been compromised.

Reader's Feedback

NorthernLife.ca may contain content submitted by readers, usually in the form of article comments. All reader comments and any opinions, advice, statements or other information contained in any messages posted or transmitted by any third party are the responsibility of the author of that message and not of NorthernLife.ca. The fact that a particular message is posted on or transmitted using this web site does not mean that NorthernLife.ca has endorsed that message in any way or verified the accuracy, completeness or usefulness of any message. We encourage visitors to NorthernLife.ca to report any objectionable content by using the "report abuse" link found in the comments section of this web site. Comment Guidelines

comments powered by Disqus

Most Popular

Local Business Directory