AUDIE CORNISH, HOST:
From NPR News, this is ALL THINGS CONSIDERED. I'm Audie Cornish.
MELISSA BLOCK, HOST:
And I'm Melissa Block.
A security flaw in one of the most popular encryption programs on the Web is raising alarms. The so-called Heartbleed bug first made news on Monday. Online attacks that take advantage of the bug could expose all kinds of sensitive information and it would be difficult, if not impossible, to detect.
So we asked NPR's technology correspondent Steve Henn what, if anything, users can do to protect themselves.
STEVE HENN, BYLINE: If you bank or shop online, if you use Yahoo or Gmail or sign into work remotely using a virtual private network, your communications may have been compromised.
ANDY GRANT: It's definitely catastrophic.
HENN: Andy Grant is a security analyst at iSEC Partners.
GRANT: I would have to classify it as possibly the top bug to hit the Internet that I've encountered - because of it being so widespread, because it's so hard to detect. It leaves zero trace.
HENN: The Heartbleed bug isn't a virus or a malicious attack. It's basically a programming mistake in a popular, free encryption service - which no one noticed for more than two years. And this mistake made it possible to trick a device or website into handing over private encryption keys. So you know that little padlock you see on your Web browser when you visit a secure website? This bug made it possible to pick that lock. So just how can consumers protect themselves?
AARON GRATTAFIORI: I've definitely stayed off of the Internet as much as I can.
HENN: Aaron Grattafiori is also at iSEC Partners. And unfortunately, he's not joking. Before consumers can do anything to protect themselves, the vulnerable sites they depend on have to be fixed; the locks on those websites have to be swapped out. After that happens, it probably makes sense for you to change your passwords on your most important accounts, for things like email or online banking.
We're posting links on npr.org so you can see for yourself what websites are safe now, which ones may have been vulnerable in the past, and which of your devices or apps could be vulnerable, too. Unfortunately, it turns out it's not just websites that are affected. Millions of android phones are vulnerable as well.
Steve Henn, NPR News, Silicon Valley.