Heartbleed calls into question our addiction with sharing onliner2hox

As with most addictions, the current craze for sharing personal data on the internet is a bad habit which we just don’t want to give up. No makeup selfies, status updates and funny pictures of cats are among the most common things we now broadcast into the web’s dark and mysterious clutches, but so too are emails, bank passwords and, increasingly, our exact geographical location. The frightening consequences of beaming our entire lives online are well-known, but users remain remarkably ambivalent to the internet’s many perils.

That ambivalence might be about to change. Early this April, media and IT experts worldwide reported on the discovery of Heartbleed, a serious vulnerability in OpenSSL, the open-access cryptographic software that protects the private data of almost two-thirds of websites. Those in the know showed how a remarkably simple technique allowed spies, hackers and bored teenagers to force an internet server to disclose its private key, which would in turn allow open access to all encrypted and sensitive information shared on a chosen website, past and present.

As the online website The Verge put it: “The bug allows an attacker to pull 64 kilobytes at random from a given server’s working memory. It’s a bit like fishing — attackers don’t know what usable data will be in the haul — but since it can be performed over and over again, there’s the potential for a lot of sensitive data to be exposed”.

The vulnerability is now being fixed, but the most disturbing revelation about the whole episode is that our private data may well have been open to prying eyes for as many as two years. In research-intensive universities such as Cambridge, Times Higher Education has claimed that this could have included reams of privileged data, including valuable research, as well as highly sensitive information about all registered staff and students.

Cambridge reacted almost instantly, recommending a series of patches and alterations to global IT systems.

So what can we, as everyday internet users, do about Heartbleed? Some might argue that it is already too late to safeguard all that we have uploaded to the net. Perhaps surprisingly, however, few victims of the Heartbleed bug, which is named after the vulnerable ‘heartbeat’ security extension which it exploits, have so far been announced. The unfortunate few include the Canada Revenue Agency, which revealed that nine hundred social security numbers had been stolen from its systems, and also the popular parenting site Mumsnet, which detected an intrusion that certainly had all the indications of an OpenSSL hack.

The expert recommendation is that you change your passwords instantly. All of them. Heartbeat has shown, however, that even the most well-thought out passwords would have been an ineffective safeguard against this vulnerability. Frankly, many (me included), simply won’t be bothered. In an age where it has been shown repeatedly that ‘123456’, ‘qwerty’ and, most astonishingly, ‘password’ are among some of our most popular password logins, it seems highly unlikely that people will feel compelled to live up to the recommendation.

If anything, the lesson of Heartbleed is that we are now all inclined to share our data on an inherently insecure platform. The only response may be simply to limit the amount we put on offer. Users need to distinguish between harmless fun and potentially compromising actions, while rethinking the trust they put into some of the more obviously insecure areas of the web. The Heartbleed bug was a rude, but entirely expected, reminder about the perils of the internet, and one which should force everyone to tread more carefully from now on.