From NPR News, this is ALL THINGS CONSIDERED. I'm Audie Cornish.


And I'm Melissa Block.

A security flaw in one of the most popular encryption programs on the Web is raising alarms. The so-called Heartbleed bug first made news on Monday. Online attacks that take advantage of the bug could expose all kinds of sensitive information and it would be difficult, if not impossible, to detect.

So we asked NPR's technology correspondent Steve Henn what, if anything, users can do to protect themselves.

STEVE HENN, BYLINE: If you bank or shop online, if you use Yahoo or Gmail or sign into work remotely using a virtual private network, your communications may have been compromised.

ANDY GRANT: It's definitely catastrophic.

HENN: Andy Grant is a security analyst at iSEC Partners.

GRANT: I would have to classify it as possibly the top bug to hit the Internet that I've encountered - because of it being so widespread, because it's so hard to detect. It leaves zero trace.

HENN: The Heartbleed bug isn't a virus or a malicious attack. It's basically a programming mistake in a popular, free encryption service - which no one noticed for more than two years. And this mistake made it possible to trick a device or website into handing over private encryption keys. So you know that little padlock you see on your Web browser when you visit a secure website? This bug made it possible to pick that lock. So just how can consumers protect themselves?

AARON GRATTAFIORI: I've definitely stayed off of the Internet as much as I can.

HENN: Aaron Grattafiori is also at iSEC Partners. And unfortunately, he's not joking. Before consumers can do anything to protect themselves, the vulnerable sites they depend on have to be fixed; the locks on those websites have to be swapped out. After that happens, it probably makes sense for you to change your passwords on your most important accounts, for things like email or online banking.

We're posting links on so you can see for yourself what websites are safe now, which ones may have been vulnerable in the past, and which of your devices or apps could be vulnerable, too. Unfortunately, it turns out it's not just websites that are affected. Millions of android phones are vulnerable as well.

Steve Henn, NPR News, Silicon Valley.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.



Please keep your community civil. All comments must follow the Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.