It was my original plan to regale you with some hot tips on capturing the perfect image on your fabulous smartphone. But then a couple of snivelling halfwits from Google and Codenomicon threw my big idea into disarray by discovering a security flaw in the web with such potential for harm, it could change the way we use it forever.
Yet in a plotline that wouldn’t seem out of place in one of those summer smash-hit Hollywood movies, we don’t know if it will, or has.
I’m talking about Heartbleed, something you’ve probably heard of in the past few days. I could go into ludicrous detail about what it is, and why it matters, but instead I’ll give you the dumbed-down version that I understand. If you want uber-geek, heartbleed.com has everything you need.
Update: you can test a website to see if it’s been locked down and now unaffected by the Heartbleed exploit. To do so use this SSL Test.
For those unwise enough to stick with me, Heartbleed is an exploit in how sensitive data is stored. This technology is called OpenSSL; it was used, and possibly still is because of the legwork needed to switch to a different security platform, by two thirds of sites on the world wide web.
What’s an exploit? It’s a weakness, in that the power to repel hackers is significantly compromised.
SSL is that little yellow padlock at the bottom of your browser window that is there purportedly to assure you that any details you provide at this point will be securely transmitted and stored.
You’re seeing that padlock more than ever because every company wants you to share as much information possible, so it can know you better and therefore tailor its offering to your specific needs.
These websites could be asking for something as innocuous as a username and password to access a member’s area.
Ironically, among websites compromised by the Heartbleed exploit, apart from Google itself, and Yahoo Mail!, is LastPass – a secure password storage service that gives you a single master password to remember (never did get that idea).
Well since Heartbleed acts as a master key for much of the internet, that might not have worked out so well.
You can take heart in the fact that shortly after this flaw was discovered, a patch was issued that fixes it. But locking down this encrypted technology to do what it was supposed to do in the first place, depends on every OpenSSL-powered website to actually install it. And most have. But yet…
When I was on BBC Radio Merseyside last week, mein host Simon Hoban asked me if we should change all our passwords. My response was a mixed bag.
Unequivocally yes, you should change your password: frequently, in fact. It’s good to get into a habit of not relying on others to protect you and your online data, as we now see.
But changing your password won’t fix the problem: only website operators can do that. The gaping hole needs sealing first. Otherwise it doesn’t matter if your password is the entire Bible, backwards: once the hacker’s opened the door, they can just reach right in and grab it.
I said very much earlier that we’re in this horrible Heartbleed hiatus right now. Simply, we have no way of knowing if hackers exploited it. There is no evidence that Heartbleed was exposed until this couple of geeks found it in a recent OpenSSL update but as we’ve seen from Flight MH370, things often take a long time to materialise.
I don’t want to instigate histrionics, here, but Heartbleed will damage the web, irrespective of how the post mortem plays out.
Knowing your data wasn’t safe – for two years – and that huge corporations relied on the security ‘protecting’ it for so long, won’t do etailers any favours.
The world wide web is just a child. Mistakes happen when you’re growing up. But Heartbleed rebuffs the saying that ‘to err is human’.
If machines can mess up, too, it makes me feel a whole lot better.