Skip to main content

How Heartbleed bug weakened everyone's online safety

By Chester Wisniewski
April 10, 2014 -- Updated 1408 GMT (2208 HKT)
STORY HIGHLIGHTS
  • Researchers found a bug that could make public your private information online
  • Chester Wisniewski: A simple mistake in open-source computer code is responsible
  • All of us rely on the volunteer work that goes into open-source code, author says
  • He says companies and people need to realize we're all in this together

Editor's note: Chester Wisniewski is a senior security adviser at Sophos Inc., Canada. He researches computer security and privacy issues and is a regular contributor to the Naked Security blog. The opinions expressed in this commentary are solely those of the author.

(CNN) -- This week, researchers from Google and the Finnish security consulting group Codenomicon disclosed a bug, called Heartbleed, in OpenSSL, one of the most ubiquitous encryption software packages in use on the Internet.

Two thirds of the web sites and applications that allow you to do online banking or communicate privately through e-mail, voice or instant message use OpenSSL to protect your communications.

That is why a bug in OpenSSL that can render the private information you are transmitting across the wire visible to attackers is a very big deal.

The bug itself is a simple, honest mistake in the computer code that was intended to reduce the computing resources encryption consumes. The problem is that this bug made it past the quality assurance tests and has been deployed across the Internet for nearly two years.

Chester Wisniewski
Chester Wisniewski

This brings into question all the secure conversations we thought we were having on affected services over that time. A big deal indeed.

How does something like this happen? Aren't there a lot of people looking at this code? It is open source after all; anyone can take a peek.

Usually the availability of source code to public scrutiny results in applications being more secure and one could argue that is what happened here. Researchers at Google were looking carefully at the code and discovered this mistake. Unfortunately, that discovery came two years too late.

Fortunately, most major Web services have already applied fixes to the affected Web servers and services. The bad news is that smaller websites as well as many companies' products that rely on OpenSSL may linger for many more years without a fix.

To a degree, we are at the mercy of the website operators and companies who make security products to apply these fixes to protect us.

Some are suggesting that everyone should change all their passwords. While it is never a bad idea to change your passwords, increase their strength and ensure they are sufficiently unique, you should only do this after confirming the site has been fixed.

Too little attention is paid to the critical nature of the free software that keeps the Internet moving. We expect this army of volunteers to write and maintain much of the code that enables our fast and free Internet, all without payment, without support, in essence without a thought.

Recently, companies like Google have begun making an effort to rectify this situation through programs like Patch Rewards. Google offers to pay researchers to find bugs in commonly used open source software, including OpenSSL, so the community can work together to fix flaws more quickly, resulting in a safer Internet.

All of us have come to rely on the Internet socially, politically and economically. The billions of dollars a year being made by the tech giants would not be possible without the millions of donated hours that maintain free and open software like OpenSSL, Linux, Apache Web server, and Postfix mail server.

This is a fight for our privacy, security and our freedom to communicate.
Chester Wisniewski

Businesses, government and individuals all have something to offer that can help. This isn't a battle between Windows, Mac and Linux or some battle between free and commercial software. This is a fight for our privacy, security and our freedom to communicate.

For some of us what we can offer is coding talent, others financial support, and still others can test software more thoroughly to ensure the reliability and security of the resulting code.

The most important thing is to recognize the importance of our collective security and to realize that in the end we are all tangled together online. A weakness in one can affect us all.

Follow CNN Opinion on Twitter.

Join the conversation on Facebook.

ADVERTISEMENT
Part of complete coverage on
August 31, 2014 -- Updated 1754 GMT (0154 HKT)
Carlos Moreno says atheists, a sizable fraction of Americans, deserve representation in Congress.
August 31, 2014 -- Updated 1625 GMT (0025 HKT)
Julian Zelizer says Democrats and unions have a long history of mutual support that's on the decline. But in a time of income inequality they need each other more than ever
August 31, 2014 -- Updated 0423 GMT (1223 HKT)
William McRaven
Peter Bergen says Admiral William McRaven leaves the military with a legacy of strategic thinking about special operations
August 29, 2014 -- Updated 1611 GMT (0011 HKT)
Leon Aron says the U.S. and Europe can help get Russia out of Ukraine by helping Ukraine win its just war, sharing defense technologies and intelligence
August 29, 2014 -- Updated 1724 GMT (0124 HKT)
Timothy Stanley the report on widespread child abuse in a British town reveals an institutional betrayal by police, social services and politicians. Negligent officials must face justice
August 30, 2014 -- Updated 0106 GMT (0906 HKT)
Peter Bergen and David Sterman say a new video of an American suicide bomber shows how Turkey's militant networks are key to jihadists' movement into Syria and Iraq. Turkey must stem the flow
August 28, 2014 -- Updated 1516 GMT (2316 HKT)
Whitney Barkley says many for-profit colleges deceive students, charge exorbitant tuitions and make false promises
August 29, 2014 -- Updated 1434 GMT (2234 HKT)
Mark O'Mara says the time has come to decide whether we really want police empowered to shoot those they believe are 'fleeing felons'
August 28, 2014 -- Updated 1432 GMT (2232 HKT)
Bill Frelick says a tool of rights workers is 'naming and shaming,' ensuring accountability for human rights crimes in conflicts. But what if wrongdoers know no shame?
August 29, 2014 -- Updated 0243 GMT (1043 HKT)
Jay Parini says, no, a little girl shouldn't fire an Uzi, but none of should have easy access to guns: The Second Amendment was not written to give us such a 'right,' no matter what the NRA says
August 30, 2014 -- Updated 1722 GMT (0122 HKT)
Terra Ziporyn Snider says many adolescents suffer chronic sleep deprivation, which can indeed lead to safety problems. Would starting school an hour later be so wrong?
August 29, 2014 -- Updated 1330 GMT (2130 HKT)
Peggy Drexler says after all the celebrity divorces, it's tempting to ask the question. But there are still considerable benefits to getting hitched
August 29, 2014 -- Updated 1849 GMT (0249 HKT)
The death of Douglas McAuthur McCain, the first American killed fighting for ISIS, highlights the pull of Syria's war for Western jihadists, writes Peter Bergen.
August 26, 2014 -- Updated 2242 GMT (0642 HKT)
Former ambassador to Syria Robert Ford says the West should be helping moderates in the Syrian armed opposition end the al-Assad regime and form a government to focus on driving ISIS out
August 27, 2014 -- Updated 1321 GMT (2121 HKT)
Ruben Navarrette says a great country does not deport thousands of vulnerable, unaccompanied minors who fled in fear for their lives
August 27, 2014 -- Updated 1319 GMT (2119 HKT)
Robert McIntyre says Congress is the culprit for letting Burger King pay lower taxes after merging with Tim Hortons.
August 26, 2014 -- Updated 2335 GMT (0735 HKT)
Wesley Clark says the U.S. can offer support to its Islamic friends in the region most threatened by ISIS, but it can't fight their war
August 26, 2014 -- Updated 2053 GMT (0453 HKT)
America's painful struggle with racism has often brought great satisfaction to the country's rivals, critics, and foes. The killing of Michael Brown and its tumultuous aftermath has been a bonanza.
August 26, 2014 -- Updated 1919 GMT (0319 HKT)
Rick Martin says the death of Robin Williams brought back memories of his own battle facing down depression as a young man
August 26, 2014 -- Updated 1558 GMT (2358 HKT)
David Perry asks: What's the best way for police officers to handle people with psychiatric disabilities?
August 25, 2014 -- Updated 1950 GMT (0350 HKT)
Julian Zelizer says it's not crazy to think Mitt Romney would be able to end up at the top of the GOP ticket in 2016
August 25, 2014 -- Updated 2052 GMT (0452 HKT)
Roxanne Jones and her girlfriends would cheer from the sidelines for the boys playing Little League. But they really wanted to play. Now Mo'ne Davis shows the world that girls really can throw.
August 25, 2014 -- Updated 2104 GMT (0504 HKT)
Kimberly Norwood is a black mom who lives in an affluent neighborhood not far from Ferguson, but she has the same fears for her children as people in that troubled town do
August 22, 2014 -- Updated 2145 GMT (0545 HKT)
It apparently has worked for France, say Peter Bergen and Emily Schneider, but carries uncomfortable risks. When it comes to kidnappings, nations face grim options.
ADVERTISEMENT