Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations

What To Do Now That The Heartbleed Bug Exposed The Internet

The Heartbleed bug has exposed up to two-thirds of the Internet to a security vulnerability.
iStockphoto
The Heartbleed bug has exposed up to two-thirds of the Internet to a security vulnerability.

With a name like Heartbleed, it's no surprise it's bad. A vulnerability in OpenSSL — the Internet's most commonly used cryptographic library — has been bleeding out information, 64 kilobytes at a time, since March 2012.

"I would classify it as possibly the top bug that has hit the Internet that I've encountered, because of it being so widespread, because it's so hard to detect," says Andy Grant, a security analyst at iSEC Partners.

Are you affected? Well, users may not even realize they are using OpenSSL. But if you've ever noticed that websites you access show an "https" address, and a lock appears next to the address, you're on OpenSSL.

OpenSSL encrypts your data, including passwords and personal information, when it travels to a server. That means you may enter a password into your online banking site, but as the information for your transaction travels to your bank, it's jumbled up and made indecipherable — encrypted — as it's traveling through the Internet. This is supposed to keep hackers from eavesdropping.

Just before the bug was publicly disclosed, the people who maintain OpenSSL had fixed the vulnerability. But it's up to Internet companies to enter fixes for their own software — "swapping out" the cyberlocks that protected their data.

"You're probably protected from this point going forward," NPR's news applications developer Jeremy Bowers told member station WUNC on Wednesday. "The part that is dangerous is the [open vulnerability of the] previous two years and the possibility that at any point since 2012 that your [logins] for various places were compromised."

While individual users can't patch the holes, keep in mind some general Internet hygiene that we should be doing anyway.

  • Change your password every few months. Because so many of our transactions are conducted online, this is a good practice to have no matter what. But to be extra safe, use two-factor authentication, which typically means you need to know a piece of information — like a password — and have a piece of information, like a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.
  • Be a little leery of public Wi-Fi networks. If you are hopping on the Wi-Fi at Starbucks and other public places, limit your Internet behavior to the things you wouldn't mind people being able to find out and transactions that aren't especially sensitive.
  • If you have VPN, use it. If your company or school offers a virtual private network, or VPN, connect that way. It's still fairly safe.
  • Don't freak out. Sites like Amazon, Google and other major Internet companies have already secured themselves and fixed the vulnerabilities disclosed this week.
  • Test to see which sites are vulnerable. LastPass has created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated. Filippo Valsorda and SSL Labs have built a Web app that will test whether a site is still vulnerable to the Heartbleed bug. And Bluebox Security, a mobile security company, built an app that will scan your Android phone to test whether it uses vulnerable versions of OpenSSL, either in its operating system or in any of your apps.
  • Copyright 2021 NPR. To see more, visit https://www.npr.org.

    Elise Hu is a host-at-large based at NPR West in Culver City, Calif. Previously, she explored the future with her video series, Future You with Elise Hu, and served as the founding bureau chief and International Correspondent for NPR's Seoul office. She was based in Seoul for nearly four years, responsible for the network's coverage of both Koreas and Japan, and filed from a dozen countries across Asia.
    Steve Henn is NPR's technology correspondent based in Menlo Park, California, who is currently on assignment with Planet Money. An award winning journalist, he now covers the intersection of technology and modern life - exploring how digital innovations are changing the way we interact with people we love, the institutions we depend on and the world around us. In 2012 he came frighteningly close to crashing one of the first Tesla sedans ever made. He has taken a ride in a self-driving car, and flown a drone around Stanford's campus with a legal expert on privacy and robotics.