The Heartbleed bug is upon us. All of us. In the words of security expert Bruce Schneier: “On the scale of 1 to 10, this is an 11.”
WHY
The Heartbleed bug is a security disaster that strikes at the most popular security software on the internet, OpenSSL. Server administrators all over are scrambling, and security certificate providers are clogged with issuing new certificates.
WHAT NOW
Change your passwords for everywhere. Microsoft, Facebook, Apple, Google were safe from it, but a lot of other places were not. Tumblr is warning users to change their passwords. Test to see if your website was safe by clicking this link. If you run a website, download the latest update to OpenSSL, regenerate your private keys and head to your cert issuer to get a new one. There’ll be a long line though as everyone is rushing to get a new cert.
HOW DID THIS HAPPEN
OpenSSL is free and open source software that provides a secure way for two parties to communicate. You and your bank’s website for instance. There’s lots of software that can do it, but OpenSSL is the most common, with over 60% of the internet using it. The bug means that you can trick a server into leaking chunks of memory, completely unencrypted, to an attacker.
WHAT THE FUCK
Two years ago, someone decided that he’s way too clever to use what everyone else uses. So he made his own memory management that’d totally be much more efficient. His mistake meant clean, unencrypted data was pulled up and even worse, an outside party could request it. If he didn’t try to reinvent the wheel, the program would have crashed randomly, and someone would have fixed this problem years ago. Instead it sat for two years.
FUCK THIS
The implications are catastrophic. For the past two years, millions of websites have been leaking what they thought was secure. Even worse — the “Internet of Things” from the Cisco IP phone next to me, to a credit card reader in a vending machine — is all probably using OpenSSL, and there’s no way to update the software on these devices.
TRUST NO ONE
SMASH THE SODA MACHINE
THROW YOUR DESK PHONE OUT THE WINDOW
CURL UP AND CRY
