Heartbleed OpenSSL Security Flaw Could Send Internet Ecommerce Back To The Beginning

It seems like yesterday that Google, Yahoo, Microsoft and others touted their move to OpenSSL to protect user information. Did you catch the news that Codenomicon engineers and researchers at Google discovered an Internet security flaw in OpenSSL, the open-source encryption technology used by an estimated two-thirds of Web servers, while testing its own products? The bug compromises the secret keys used to identify service provides and encrypt traffic such as user names and passwords.

Internet companies claimed the "s" in "https://" on their browser's address bar keeps information secure. Some now suggest the security feature, because of the bug, makes the data less secure than if they had not used OpenSSL. Social site Tumblr posted a blog about Heartbleed explaining that it means "the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit."

Etsy also posted on its Web site a patch notice, and provides a list of things its customers should do now that it has fixed the security holes. Some of the steps include starting a new session by signing out and changing passwords. The site also suggests enabling two-factor authentication. There is also a free tool that companies can use to test if their own site is at risk.

Amazon Web Services, Facebook, Yahoo, Google and Microsoft on Tuesday said they are working to fix the problem. Bruce Schneier, who has been writing on Internet security issues since 2004, estimates that 500 million Web sites are vulnerable. Codenomicon, which explains that the bug is the result of a coding error, put up a Q&A Web site on the bug to help companies understand the severity of the flaw. Maybe it will convince execs at online advertising agency and search engine marketing companies they need security experts to protect client data, and stop telling me all the raw data they collect remains useless in its current state.

It's not just about fixing the flaws. It's more about earning and keeping the trust of consumers. If you really trust technology to keep your information one hundred percent secure, I have a bridge in Brooklyn I'd like to sell you.

"Broken Padlock" photo from Shutterstock.

Recommend (2) Print RSS