Encryption Flaw Puts Internet Security At Risk

If you bank online or sign into work remotely using a virtual private network, your data may not be safe. A flaw in the encryption program OpenSSL could expose much of the encrypted traffic.

Copyright © 2014 NPR. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

DAVID GREENE, HOST:

And now here's some frightening news for people who spend a lot of time on the Internet. If you bank or buy things online, if you use Yahoo or GMail, if you sign into work remotely using a virtual private network, your communications might not be safe. A flaw in a widely used encryption program called OpenSSL might be exposing much of the Net's encrypted traffic to eavesdropping. NPR's Steve Henn joins us now to explain how this flaw, which is known as the Heartbleed bug, was discovered and what it might mean for all of us. Steve, good morning.

STEVE HENN, BYLINE: Good morning.

GREENE: So let's start from the beginning here. This bug affects and encryption program called OpenSSL. What is that?

HENN: Well, it stands for Secure Socket Layer, but I think most people would know it as the little padlock that appears on your web browser when you go to a secure site like your bank.

GREENE: I'll actually see this if I'm logging onto my bank account or something.

HENN: Right, yeah. SSL is one of the most widely used types of encryption on the Internet. As you said, it's used by Google and Gmail, Facebook, Internet commerce, sites like Amazon, and lots of banks. So the fact that this was vulnerable and appears to have vulnerable for years is pretty bad news.

GREENE: Okay. So if I got onto one of these websites, I'll see this padlock. I'll know I'm going onto what I hope is a secure site, sounds like it might not be so secure anymore because of something called the Heartbleed bug. Tell us about that.

HENN: Right. The Heartbleed bug. So computers and Web servers that are talking to each other using this protocol, OpenSSL, verify that they're still connected by using something called a heartbeat. It's basically a short message that really just says, hello, I'm still here. Are you still here? Researchers discovered that instead of responding with a, yeah, I'm here, they could force servers to actually send a big packet of information, sending back the short term memory on the server, and that information could include things the computer was processing at the time, like passwords, spreadsheets, credit card information and most disturbingly, even the private encryption keys for the site that were supposed to keep all of that information secure.

GREENE: So if I'm using sites like this that are exposed, hackers might be getting information from me. I mean who exactly could be using this bug to get stuff?

HENN: The thing about a bug like this is until it's publically known, it's very valuable. People want to use it discreetly because it could open so many doors. What happened on Monday is that bloggers posted this vulnerability online and that really set off an arms race. It's not a very difficult hack to make once you know it's there. So right now, you know, basically hackers and security professionals on websites all over the Internet are engaged in a race where the professionals are trying to patch this bug, fix it, which also isn't very difficult to do, and hackers are trying to find sites that still haven't acted and exploit them.

GREENE: Anything I, as a person who uses some of these websites, can do to protect myself?

HENN: Well, you know, people have been joking about staying off the Internet and...

GREENE: That's one option.

HENN: Right. And, you know, I'm only kind of kidding. You know, yesterday when I first found out about this, I made a point of not logging into my bank account. I didn't know if my bank had been secured and I didn't want to send my password when I know that this vulnerability was widely known. And until a website you interact with that uses OpenSSL for encryption has been patched, honestly, there's not a lot you can do.

But within the next few days, most well-run websites all over the world are going to fix this and then there is actually something you can do. Thursday or Friday it would make sense if you have a site that handles lots of sensitive information like your bank, it could be worth it to go ahead and update your passwords for those sites.

GREENE: So once they fix this patch, updating my password I mean would protect me, if someone stole my password, I've got a new password then and they can't get in anymore.

HENN: Right. I mean the danger is that this site got attacked and they captured your password sometime in the past and you don't know about it. So if you update your password and the site's fixed, you're probably good to go. And in the meantime, you could actually go to MORNING EDITION's Facebook page. We've posted a couple links that will help you identify whether or not the sites you use are vulnerable and whether or not they've been fixed.

GREENE: All right. Helpful to know. NPR's Steve Henn, thanks a lot.

HENN: Oh, my pleasure.

Copyright © 2014 NPR. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to NPR. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.