If you read tech blogs or hang around with people who do, you may have noticed quite a lot of animated discussion about bleeding hearts and obscure technical terms like encryption and SSL. All this talk is due to a recently discovered OpenSSL software problem, which has been dubbed Heartbleed. The reasons for this rather grim sounding name are esoteric, but it is an appropriate moniker because Heartbleed is likely the most severe vulnerability ever discovered in basic Internet security and it has existed since March 2012.
Essentially, every time you visit a website and see a reassuring closed padlock in the address bar, your communications are being protected by SSL encryption, which is supposed to ensure that it can only be seen by you and the server on the other end of the connection. Every time you see that padlock, there is a two-thirds chance that the communications are being secured with OpenSSL. Heartbleed makes it possible for evil-doers to pull snippets of information off those servers. Those snippets could be terribly boring, or they could be someone’s username and password.
Fortunately, by the time you read this, the crisis will have passed, at least for the American Booksellers Association and IndieCommerce. The vulnerability was revealed on April 7. ABA’s system administrators had patched all but one type of system by early afternoon on April 8. The final type of system, a group of servers known as load balancers, was patched on April 9 at 11:00 a.m., within 30 minutes of the vendor releasing a patch.
The final step to mitigating this vulnerability is for ABA member booksellers to change their passwords, as there was a short time when secure communications might have been compromised. It’s also advisable to change passwords for all important websites, such as financial institutions and e-mail providers.
Most large companies have already fixed their servers, but some less-populated areas of the Internet, where servers are less actively maintained, will likely remain vulnerable for quite some time. Because it’s impossible to determine if a given site has been attacked, the full impact of Heartbleed will not be determined for some time.