Live Chat!

Experts Discuss The Heartbleed OpenSSL Bug

"On the scale of 1 to 10, this is an 11," wrote security expert Bruce Schneier in a blog post this week. He was referring to Heartbleed, the devastating two-year-old bug that was only revealed Monday. Join Co.Design senior writer Mark Wilson for a live discussion with security expert Wayne Jackson and RedMonk analyst Donnie Berkholz about the implications of this vulnerability on Wednesday, April 9th at 3pm ET.


The discussion will begin at 3pm ET on Wednesday, April 9th (scroll to the end of this page to submit your questions to the chat). Until then, be sure to read Fast Company writer Chris Gayomali's explainer on the Heartbleed OpenSSL bug. Here are the basics:

WHAT IS HEARTBLEED?
It's a bug in OpenSSL encryption, a software library that Google, Facebook, Yahoo, Amazon, and a very big chunk of world's biggest websites use to secure the transmission of private information. The average user is probably unfamiliar with OpenSSL, but it is represented in your URL bar by the little lock symbol, next to HTTPS. Essentially, the exploit gifts hackers and cybercriminals a skeleton key to a hidden world of private data. They can waltz in, reach into a grab bag of secure information (emails, IMs, passwords, etc.), and walk away without a trace.

HOW WIDESPREAD IS IT?
According to Schneier, about half a million websites have been made vulnerable to attack. Although the exact extent of the damage is unclear, security experts say this is exactly the kind of easy vulnerability hackers have a field day with. "It affects two-thirds of the Internet's infrastructure," Wayne Jackson, security expert and CEO of Sonatype tells Fast Company. "I don't think this is all that different from bugs that we see that get reported. It's just that this one is foundational."

HOW IS THE PRIVATE DATA GATHERED?
Heartbleed allows hackers to reach into the exchange of private computer memory handled by OpenSSL, allowing them to pull out information en masse. What gets pulled out is randomized: Sometimes you'll get something benign, like a timestamp. Worst case is they'll get something like the encryption key itself. It's like a private-data piñata.


Powered by ScribbleLive

[Photo: Flickr user Nan Palmero]