Heartbleed is a security bug in OpenSSL, a prominent version of SSL used to secure Internet connections used in many websites. During the sending of information, sometimes personal information including credit card payment could be leaked. The bug had first been reported to the public on April 7, 2014 alongside a fixed version of Open SSL.
When using HTTPS, instead of HTTP, you are sending a message to the browser to encrypt communication between yourself and the server. Heartbleed is the bug that could allow others, with the proper knowledge, to be able to read data sent while using OpenSSL. Any information transmitted through this, including passwords and credit card numbers, could be up for grabs for a person with the right ability.
This bug has caused mass fear in the use of the Internet, many changing their passwords, and some even completely staying off the Internet for a while.
“Nothing has really changed for me,” said student Tom Czerminski, a junior. “There is no real point in changing anything at the moment because they already have the information, they would need to update the servers and fix the bug completely.”
It has been estimated that over half a million sites that were using OpenSSL were vulnerable to the attack. Some have even argued that it is the worst vulnerability found, in terms of potential impact, since commercial traffic on the Internet arose.
“I saw it on the news when it first hit, I haven’t had to change anything though,” said Russel Rose, a junior.
Many students, while they have heard of it, have not had to change most, if any, of their own passwords. Many media sources suggested to change a password or stop using the Internet until the fiasco “blows over,” however, changing passwords could cause more harm than good. When a new password is created, many users write them down or store them on their own computer, which could be a bad idea if not properly encrypted and secure, or they use similar passwords to those on another vulnerable site. If a site has not yet applied the patch, changing the password would be useless as the information would still be accessible. The other option, which was staying away from the Internet all together, is ridiculous because the information is already out and further use cannot change that it may be in danger.
Bloomberg News believes that the NSA had known about the bug shortly after its introduction in an article they wrote shortly after the bug had been reported. This claim has been denied by many, including the NSA themselves and former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism for the United States, Richard A. Clarke, who also served as an adviser on a panel that reviewed the United States’ electronic surveillance policy.
—
dhartma2@ramapo.edu
