09 April 2014

HTTPS websites have not been/may not be secure

Troubling news from an AP article posted today in the StarTribune:
An alarming lapse in Internet security has exposed millions of passwords, credit card numbers and other sensitive bits of information to potential theft by computer hackers who may have been secretly exploiting the problem before its discovery.

The breakdown revealed this week affects the encryption technology that is supposed to protect online accounts for emails, instant messaging and a wide range of electronic commerce.

Security researchers who uncovered the threat, known as "Heartbleed," are particularly worried about the breach because it went undetected for more than two years...

"This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr said. "This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
More at the link and undoubtedly at many other sites on the web today.  Knowledgeable readers are encouraged to offer comments (or other relevant links).

Addendum:  A hat tip to reader Mel V. for providing a link to a CNET article entitled "How to Protect Yourself from the 'Heartbleed' Bug."

7 comments:

  1. I wrote a long comment, but I'm not sure if it went through. Here's a very good article that sums up most of what I said anyway: http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/

    ReplyDelete
    Replies
    1. It's not in the spam trap or the "pending comments." Sometimes they show up later...

      Delete
    2. The short version is that the nature of this bug is the kind of thing that makes security researchers curl up in the corner and cry. On a conceptual level, it's pretty scary. On a practical level nothing much seems to have happened. For you the average netizen, the fallout is pretty much the same as any other major security issue from the last few years. Keep an eye on your bank accounts, change your passwords on any websites that recommend that you do so, and carry on.

      Delete
    3. Your extended comment still hasn't appeared and is not in the spam trap, but your link is quite good, so I've appended it to the post. Thank you.

      Delete
  2. Why do you have a Heartbleed emblem on your website?

    ReplyDelete
  3. I recommend this analysis from the renowned security/cryptography researcher Bruce Schneier:
    https://www.schneier.com/blog/archives/2014/04/heartbleed.html
    "Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

    https://www.schneier.com/blog/archives/2014/04/more_on_heartbl.html
    And we have a story where two anonymous sources have claimed that the NSA has been exploiting Heartbleed for two years.


    And of course do not forget xkcd comic:
    http://xkcd.com/1354/

    ReplyDelete