Security experts warn there is little Internet users can do
to protect themselves from the recently uncovered
"Heartbleed" bug that exposes data to hackers, at least not
until vulnerable websites take steps to secure their
The Heartbleed bug in widely used web encryption technology
known as OpenSSL affects software on servers that host
websites. That software is not used on PCs or mobile devices,
so even though the bug exposes passwords and other data
entered on those devices to hackers, it must be fixed by
"There is nothing users can do to fix their computers. They
have to rely on the administrators of the websites they use,"
Mikko Hypponen, chief research officer with security software
maker F-Secure, told Reuters.
Representatives for Facebook Inc, Google and Yahoo Inc told
Reuters that they use OpenSSL and have already taken steps to
mitigate any impact on users.
The bug has the potential to affect the world's biggest
websites because OpenSSL is used on about two-thirds of all
web servers and has gone unnoticed for about two years. It
could lead to the theft of data, including passwords,
confidential communications and credit card numbers.
"On a scale of 1 to 11, it's about an 11," cryptologist Bruce
Schneier, chief technology officer of Co3 Systems Inc. said
of the bug's severity.
Google spokeswoman Dorothy Chou told Reuters: "We fixed this
bug early and Google users do not need to change their
Ty Rogers, a spokesman for online commerce giant Amazon.com
Inc, said "Amazon.com is not affected." He declined to
CLEANING UP THE MESS
Schneier called on Internet firms to issue new certificates
and keys for encrypting Internet traffic with Web browsers
such as Firefox, Microsoft Corp's Internet Explorer and
Google Inc's Chrome, which would render any stolen keys
It will be time-consuming to replace certificates and keys,
update OpenSSL software and notify users of their passwords,
said Barrett Lyon, chief technology officer of cybersecurity
firm Defense.Net Inc. "There's going to be lots of chaotic
mess," he said.
GoDaddy, a major provider of SSL technology, said it does not
charge for re-keying its certificates. Symantec, the biggest
provider of such certificates, could not immediately be
Hypponen said computer users could immediately change
passwords on accounts, but they would have to do so again if
their operators notify them that they are vulnerable.
"Take care of the passwords that are very important to you,"
he said. "Maybe change them now, maybe change them in a week.
And if you are worried about your credit cards, check your
credit card bills very closely."