Massive Security Flaw Picks The Padlock On Much Of The Internet
A serious bug has been discovered in one of the Internet's most popular encryption programs. The bug, introduced in 2012 and named "Heartbleed," allows an attacker the means to evade security and access credit card numbers or passwords supplied to companies online by users.
MELISSA BLOCK, HOST:
If you buy something or bank online, use Yahoo mail or Gmail, or if you sign into work remotely using a virtual private network, your communications may not be safe. A flaw in a widely-used encryption program called OpenSSL could expose much of the internets encrypted traffic to eavesdropping. NPR's Steve Henn joins me now for more about how this bug was discovered and what it means for all of us. And Steve, the bug is called the "Heart Bleed Bug" and it's affecting this encryption program, as we said, called OpenSSL. What's SSL?
STEVE HENN, BYLINE: Well, it stands for Secure Socket Layer. But people probably know this as that little padlock that appears next to a web address on a browser on a secure website. And it's one of the most widely used types of encryption on the internet - it's used by banks, it's used by Google for Gmail, Facebook, Yahoo and many, many Internet commerce sites that handle credit card information.
BLOCK: OK, and now they're talking about the Heart Bleed Bug. So what's that?
HENN: Well, computers and web surfers that use OpenSSL to talk to each other can verify that they are still connected using something called the heartbeat. Basically, this is a short message that's really just supposed to say, hello, are you still there? But last week, researchers in Finland discovered that they could use these heartbeat messages to trick web servers into sending back the contents of the server's short-term memory or RAM. And that RAM could include things like usernames, passwords, credit card information, even the encryption keys for the site.
BLOCK: And this has been described as a catastrophic bug - what makes it so bad? Is it all those things you just mentioned?
HENN: Well, obviously losing passwords is bad, losing a credit card number is bad. But if you run a website, losing the encryption keys is even worse. It's like having a fancy car and leaving it on the street with the door open and the key's in the ignition. And this flaw in OpenSSL has been baked in for the past two years. So it's been out there for a while.
BLOCK: So if it's been out there for a while, why was it just now discovered?
HENN: Well, you know, this is an open-source software program. It has researchers going through it constantly. So even though they could trick a web server into sending back information, unencrypted information, it's not like it obviously was intended to do that. It's possible that other malicious actors or, say, the National Security Agency or other state security agencies could have discovered this flaw years ago and have been using. But it wasn't inherently obvious to anyone who was poking around.
BLOCK: How many sites are affected by this, Steve?
HENN: Well, lots and lots of sites. I mean, OpenSSL is a free software program. And so many websites like Facebook and Google, Yahoo and many banking sites have adopted it. The assumption was because it was open source and everyone could look at the code that it would be safer, that problems like this would have been caught sooner. So it's a pretty dramatic moment when a widely used open source program like this has such a large security flaw.
BLOCK: So Steve, what can consumers do?
HENN: Well, Intella website has actually fixed this problem in their encryption program. There's not much you can do. But within the next couple of days, that should be taken care of by reputable sites all over the world. Then, unfortunately, I think it would make a lot of sense for you to go back and change your password. This kind of attack doesn't leave a lot of fingerprints, people that run sites may not know if they've been victimized. And unfortunately, the best thing you can do to make sure you're safe is to change how you log in.
BLOCK: OK, NPR's Steve Henn reporting on the so-called Heart Bleed Bug. It's a newly discovered security flaw that could expose encrypted data on much of the internet. Steve, thanks.
HENN: My pleasure. Transcript provided by NPR, Copyright NPR.