ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Heartbleed Bug Leaves Internet Users Open To Being Hacked

Updated on November 22, 2014

What is OpenSSL?

OpenSSL is the most common web encryption program on the internet that users only recognize by seeing HTTPS or a padlock in their top left corner of their screen, telling them that the website is secure. Rarely do they know it by its OpenSSL name.

Privacy notices spell it out, but you - the average user - have no idea how it functions and many don't even take the time to read those privacy notices or Terms of Service.

Check screenshots below to test the sites you use most often.

Tumblr's warning to users

Tumblr's notification to users
Tumblr's notification to users | Source

It is a big deal, no matter if you hear differently!

On Monday, April 8, 2014, trillions of passwords, credit card numbers and other personal information became attractive to hackers when Google's security team learned a bug named HEARTBLEED could access the web encrypted program known as OpenSSL.

It doesn't mean that hackers did access it. What it means is that there is no way to know if they did.

This bug reads the web encrypted program OpenSSL which many websites use to store your private information, passwords, file storage websites, bank and credit cards, as well as your private online conversations - anything this is encrypted with the padlock or HTTPS in top left of your screen.

The HEARTBLEED bug is a flaw affecting 66% of websites on the internet who use OpenSSL web encryption programs to protect the privacy of its users.

The HEARTBLEED bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

This compromises the secret keys that are used to identify the service providers and to encrypt the traffic, users names and their passwords as well as their private content.

The HEARTBLEED bug is an eavesdropper which allows hackers to steal directly from the servers as well as the users so they can go on to impersonate or even steal the identity of each user.

There are always going to be bugs in software and software libraries and there are always going to be patches or new versions introduced. You see this every day when you are upgrading a program or new version of a game, for example.

But the HEARTBLEED bug is rather unique because this bug exposes a large number of private keys to anyone on the internet who is monitoring a site. When you consider the long range exposure (now over two years!), how easy it is to access and attack while leaving no trace behind, this bug should be taken very seriously!

Although a patch has been offered to websites and servers to address their vulnerability, the level of importance this has received has not made them act quickly.

This is partly because the level of the breach was not given a high priority.

Researchers hesitated to call it a virus or even malware. They are calling it a bug at this point because it is a nuisance program that steals information, but does not do any residual damage to your computer as would a virus or malware.

In other words, it does not leave behind adware or malware, so the level of importance assigned to it is low.

Make no mistake about it -- this IS a very big deal.

It is a major breakdown in internet security and the trust level on any site using any type of WoT (Web of Trust) program even if they don't use this version of OpenSSL.

Once any security program or website server has been breached, it reflects on all security programs, because you can't change the public's perception of how secure they feel about their online information.

Anything that attacks or accesses our private information - or information we deem to be private - is a big deal to us, even if the powers that be don't think so.

See screenshots below with link to test your favorite sites to see if they applied the patch (fix). If their grade is not A or higher, I wouldn't change the passwords just yet.

HEARTBLEED bug Update 4/16/2014

This is a great graphic giving lots of detail of affected vs non-affected sites.
This is a great graphic giving lots of detail of affected vs non-affected sites. | Source

Last pass for hubpages at 3PM EST on 4/10/2014
Last pass for hubpages at 3PM EST on 4/10/2014

Update: 4/10/2014 - 6pm Est

Matthew Meyer suggested this link to check Hubpages for site health with HEARTBLEED

It gets an all clear!

Test your secure websites and see how secure they are with this tool

Use this link to see if your domain, website, server is affected. After the first screen, wait 30 seconds, it will give you a second screen with a grade and key exchange. If it says "confusing" just hold on for 30 seconds because the screen is still working and it will give you the second screen. If the results on the first screen give a grade less than A, it is not the final answer because it is a working screen - a screen that gives you a bit of information before it goes on to give you more information on subsequent screens - so hang on for 30 seconds. came up "confusing" and while I was entering it in to see what that site offered, when I came back to Qualys SSL screen, it had given an all clear. is faster but doesn't give the detailed information that this site does.

So that is what I have to suggest between Qualys SSL screen and screens.

Keep it bookmarked and go back often to check by entering the URL.

This is a free online service that analyzes any SSL web server on the internet, not just OpenSSL.

If you can't click it, here it is for you to copy and paste it into your browser.


Screenshots of SSL Server Test (I tested Pinterest, Facebook, Yahoo)

This is the blank form you see on landing page.
This is the blank form you see on landing page. | Source
These are the results I got when I entered - A grade - just good, not perfect
These are the results I got when I entered - A grade - just good, not perfect
These are the results I got when I entered A minus grade - almost perfect
These are the results I got when I entered A minus grade - almost perfect
These are the results I got when I entered  B grade - needs more work to be trustworthy.  Possibly still in process of applying the fix. Check back in a few hours.
These are the results I got when I entered B grade - needs more work to be trustworthy. Possibly still in process of applying the fix. Check back in a few hours.

LastPass Instructions

LastPass is another site to use. The screenshot below is only to show you what the landing page looks like. Do not try to enter information on the screenshot.

Click the link under the screen shot or copy and paste this link into your browser.

Do not click anything else on the site when you get there. It has a download to install a checker on your computer. It also has a Premium set of services that you have to pay for. Just use the Site checker.

You don't need it. Using the free section of their website is good enough!

Use The Last Pass Checker (just check, don't download anything!)

Enter the URL in the box, click SEE IF THIS SITE IS VULNERABLE, and it will give you last update time. DO NOT CLICK ANYTHING ELSE. The site has a checker they charge for you to DOWNLOAD for monitoring. Just use the free part.
Enter the URL in the box, click SEE IF THIS SITE IS VULNERABLE, and it will give you last update time. DO NOT CLICK ANYTHING ELSE. The site has a checker they charge for you to DOWNLOAD for monitoring. Just use the free part. | Source

Notifying the public

Today is Thursday, April 10, 2014 and we are still talking about more than half the affected sites who have not hurried to install the fix.

The damage caused by the HEARTBLEED bug is unknown at this point. The irony is this encryption program has been in use for over two years on millions of websites to safeguard private information, the security hole has been there that long, but the bug has just been discovered on Monday, April 8, 2014.

It is possible that the vulnerability has not yet been detected by hackers, because there have been no reports of a hack or major breach reported by credit card companies or bank, but that doesn't mean there might not be one in the offing.

Any website or server who encrypts data would do well to err on the side of caution and install the patch to heal the vulnerability. (Hint to any web administrator reading this!)

Now that the word is out that the bug has been discovered, it won't be long before hackers practice their trade to see if they can be successful in cracking the bug and/or the patch fixes to send in a virus to attack the bug.

One never knows the repercussions of alerting the public to incidents like HEARTBLEED bug, when it could leave the door open for hackers to take advantage of the same public service announcement and try their hand at making a bad situation even worse by actually doing the dirty deed of stealing the information, thus bringing about the worse fears when the bug was announced in the first place.

If it was a possibility of stealing information on Monday, by now hackers have found a way to make it a reality.

The privacy notices on websites will now have to be revamped and retooled to assure users that their information is safe. It is times like these that we have to wonder.

All you know is that they are assuring you that your safety is their highest priority and that your information is safe with them.

Trust me, it is never going to be 100% safe.

Even with the padlock closed and HTTPS showing on the browser, the HEARTBLEED bug makes it possible for hackers and snoopers to still decipher the encrypted information without the website owners even knowing they were there, if they stole anything or if they are just monitoring the site, using a keystroke logger or employing any number of other ways to snag and store the information on each website.

This is a very slick bug because it is a one way street. The bug can see in, but we can't see the bug or what it is doing until after the fact.

The HEARTBLEED bug leaves no traces of anything abnormal happening to the logs on websites or servers.

It is so very important for each website to install the patch so they are not vulnerable and so they can assure their users that they have their best interests at heart in protecting their private information by upgrading and installing patches, fixes, or install new software to replace questionable software.

This is a good opportunity for affected sites to upgrade security strength of the secret keys they use to safeguard information.

This is a dedicated site where you can read more about AND test your site for safey The HEARTBLEED bug.

How do I know if the HEARTBLEED bug got my information?

If you do any business online, use any website that stores your information, your passwords, your email address, your location and security questions, you are affected! You need to monitor your credit cards and banks for unusual activity.

AFTER all the websites apply the patch to fix their vulnerability, that is when you should change your passwords on each account.

Doing so before then is a waste of time. It will also mean you are giving the bug all your new passwords that you think will safeguard you for the interim until the fix is done. But then you'll just have to do it over again afterward so you have fresh new passwords.

Why is HEARTBLEED not considered a big deal?

To reiterate, The HEARTBLEED bug a bug that breaks down the security of the web encryption program OpenSSL which protects your private information, passwords, email, instant message, bank and credit card information - any information you believe is safeguarded on a site that uses HTTPS (padlock) and promises to store your information.

It is a big deal because if someone steals your personal information, the repercussions can be long reaching into the future, doing irreparable harm to your credit, credit rating, your ability to navigate in this world with your identity which can possibly belong to someone else when they hacked your private information.

Wondering when you should act?

There is no need to wonder.

As soon as you see by the Qualys SSL test (link above) or you get a notice that the websites on the list put in the patch, then it is time to change your passwords on every account you have. Until the patch is in, the website is still not secured.

It is a waste of time to change your passwords now because you will only have to do it again once the website is secure again.

You can also check by clicking this link to monitor CNET's website for updates.

A site to watch for updates

This list is live and going to be constantly updated as sites pass their Qualys SSL Server Test and patch their vulnerable spots. CNET, a major player in determining safe downloads and a dedicated site for up to date news, will maintain the list.

Check in every few hours if any of the sites on the list are your normal hangouts and you will see if their site has done their due diligence to address this awful bug. In the far right column you will see the confirmation from the site and their recommendation.

This is an awful bug, so please keep the site bookmarked, or come back to this hub and it will be updated as CNET is updated.

So if I just wait for sites to fix it, I'm safe, right?

It depends on the website and the website administrators to put the patch in place. Even though the fixed version of OpenSSL is available, they are not ordered or compelled to install the fix.

For example, Yahoo has over 800 million users around the world, but they also control some of the most popular services on the internet that users depend on every day. While they have fixed the top high traffic sites, they still have a long way to go to address all their other website properties, products and services.

See above screenshots for Qualys SSL labs checkup screen.

What you can do to protect yourself, and when to do it

The only way to protect yourself is to change your passwords AFTER the sites apply the patch and to STOP saving your information to servers who promise to safeguard your information.

No matter how easy it is for you to click "REMEMBER ME" or "REMEMBER MY INFORMATION" you do not know who has access to that knowledge - either now or when a breach occurs.

The best thing you can do is what I have been advocating in all the hubs I have written so far about computer technology and that is:

Invest in a little dollar store copybook/notebook and use one page per website to write down your password, your security questions and your sign on information. Put it in a safe place and do not share it with anyone except your immediate survivors so they will be able to access your bank and important information if you should die.

Your Opinion Counts

Was any of this information helpful to you?

See results

Don't Copy, Just Spread The Word By Linking. TYVM

© Rachael O'Halloran. April 10, 2014.

No part of this article may be reproduced without prior permission from the author. Use the following link to refer to this article. Do Not Copy. TYVM

© 2014 Rachael O'Halloran


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)