It has recently come to light that some versions of OpenSSL are vulnerable to an exploit called Heartbleed. OpenSSL is one flavour of security measures companies take to keep their information — which could be your information — secure from “bad guys”, who might want to collect it for illegal or questionable purposes. The Heartbleed bug is essentially a hole in the SSL software that can be used to grant access to that information.
I have written about SSL in some of my earlier posts. Basically SSL or Secure Socket Layer is software that is used to keep your data confidential. SSL certificates can be used on mail or web servers to protect your personal information. How does it protect you? Protection is maintained by encrypting the data into non-readable code which is then decrypted at the other end of the connection. In this way only the parties at either end of the connection can read the actual data.
So what kinds of information can the bad guys collect? Well, a young man was recently arrested for obtaining Social Insurance numbers from Revenue Canada. Even the National Security Agency (NSA) has admitted they have been taking advantage of this exploit for over two years, collecting anything from usernames and passwords to bank account records or any other bits of information they could get that would be of use to them.
Should we care? The short answer is yes. Putting aside the questionable morality of what the NSA has been doing, anyone getting your personal information leaves you vulnerable to having your bank account cleaned out and right up to possibly being charged with fraud because someone used your identification for an illegal purpose.
What can you do? That question is an easy one to answer. To my knowledge, as of this writing, OpenSSL is the only Secure Socket Layer software affected by the Heartbleed bug – and even within OpenSSL there are only a few versions that are vulnerable. If you are using OpenSSL ensure your certificate version is not included. If you are concerned about any of the secure web sites you go to contact the business and ask them to confirm if they are vulnerable.
If you are interested in reading more on this subject, I have a couple of links for you that I am sure you will find both informative and interesting. Keeping your personal data confidential is getting trickier and trickier. At least now that this bug is exposed you can consider your options and take action to protect yourself…and your data.
Got a question or an idea for a topic you would like to see covered in one of my upcoming blogs? Write to firstname.lastname@example.org and sound off. I’ll do what I can to address your questions or concerns either personally in a reply email or on the blog. Until next month, take care.