(/BBC) This week it has emerged that a major security flaw at the heart of the internet may have been exposing users’ personal information and passwords to hackers for the past two years.
It is not known how widely the bug has been exploited, if at all, but what is clear is that it is one of the biggest security issues to have faced the internet to date.
Security expert Bruce Schneier described it as “catastrophic”. He said: “On the scale of one to 10, this is an 11.”
The BBC has attempted to round up everything you need to know about Heartbleed.
What is the Heartbleed bug?
The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user’s computer and a web server, a sort of secret handshake at the beginning of a secure conversation.
It was dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat.
It is one of the most widely used encryption tools on the internet, believed to be deployed by roughly two-thirds of all websites. If you see a little padlock symbol in your browser then it is likely that you are using SSL.
Half a million sites are thought to have been affected.
In his blog chief technology officer of Co3 Systems Bruce Schneier said: “The Heartbleed bug allows anyone to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the name and passwords of the users and the actual content,” he said.
“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users,” he added.
The bug is so serious it has its own website Heartbleed.com which outlines all aspects of the problem.
Do I need to change my passwords?
Some security experts are saying that it would be prudent to do so although there is a degree of confusion as to when and if this needs to be done.
Many of the large technology firms including Facebook and Google have patched the vulnerability.
Confusingly though Google spokeswoman Dorothy Chou specifically said: “Google users do not need to change their passwords.” A source at the firm told the BBC that it patched the vulnerability ahead of the exploit being made public and did not believe that it had been widely used by hackers.
Some point out that there will be plenty of smaller sites that haven’t yet dealt with the issue and with these a password reset could do more harm than good, revealing both old and new passwords to any would-be attacker.
But now the bug is widely known even smaller sites will issue patches soon so most people should probably start thinking about resetting their passwords.
“Some time over the next 48 hours would seem like sensible timing,” the University of Surrey’s computer scientist Prof Alan Woodward told the BBC.
Mikko Hypponen of security firm F-Secure issued similar advice: “Take care of the passwords that are very important to you. Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely.”
How do I make sure my password is robust?