Heartbleed is such a serious leak that it has its own branding. Illustration: Codenomicon.
Show Hide image

The “Heartbleed” bug gives hackers access to all of your confidential info - how?

Web engineers are currently in panic mode as they try to repair the damage of a bug that has gone unnoticed for more than two years.

There has been a major security bug discovered in one of the most popular mechanisms for keeping information confidential on the internet. The security company which discovered it, Codenomicon, is calling it “Heartbleed”, as it threatens such a vital, central part of how many websites work. It can give hackers access to all kinds of sensitive, confidential information - passwords, usernames, birth dates, anything - without leaving any trace of an attack.

To explain how it works, let's first lay out how websites send private information to each other. When you're reading the New Statesman website, for example, you've sent a request to the server the website's on, and it, in turn, has fired back the digital bits that reconstruct themselves into the website on your screen. So far, so simple. But if you're on a website where you're logged in - everything from social media like Facebook to being logged into your Google account while searching for something online - there's an added layer of privacy required to make sure that nothing can listen into the chatter between your computer and the server.

That layer can take the form of certificates, verified with cryptographic keys (just like the way that emails are encrypted, for example). You log in, the site verifies your login, and gives you a certificate that you then send along with your requests for each page you load so it knows that you are you. That's why you only have to log in once per session. Each interaction between your computer and the server involves a swap of encrypted certificates, verifying that the data's going to and from the same two end points every time. It's a great way to stop hackers from sniffing in on a web traffic and hearing what's being transmitted, as they won't have the correct keys to decrypt it.

SSL and TSL protocols are the standard for encrypting and decrypting connections, with the open source OpenSSL being the most popular library of keys. What Codenomicon found was that - undiscovered since 2011 - there's been a major flaw in OpenSSL's library that effectively destroys its efficacy, and (as far as anyone can tell) nobody has noticed until now. Since OpenSSL is in use on roughly two-thirds of all sites, including major services like Yahoo, Tumblr, Twitter and Dropbox, a flaw this big affects millions upon millions of users.

What the Heartbleed bug does is let anyone ping a server and make it throw up information from its memory, in 64kb chunks. The data that leaks is completely random - it could be anything from among the server's memory at that moment - and 64kb isn't much, but there's no encryption on it, and it can be done as many times as possible. Passwords, usernames, security keys used to encrypt databases, anything at all, drip by drip by drip, it can all bleed away.

Even if OpenSSL is patched for a website, there are all kinds of knock-on consequences that might be an issue down the road - for example, it's probably not worth changing your password out of fear that it's been stolen if the website you're registered on hasn't done the patch yet. It could just be stolen again. Even worse, the security keys used to verify the certificates for each user, meaning the site's entire database could be compromised. We just don't know the scale of how bad things are yet. In the words of cryptography expert Bruce Schneier it's a "catastrophic" bug. "On the scale of 1 to 10, this is an 11."

There are limited things that users can do right now. This site lets you check if OpenSSL has been patched on a site you're trying to visit, so before changing any passwords it's worth testing that, but it's going to be a few days before most site managers get a grips on the problem. As Steve Lohr writes in the New York Times: "Wait a day or so. Then change the passwords on the web services you use. That is probably the best advice..."

Ian Steadman is a staff science and technology writer at the New Statesman. He is on Twitter as @iansteadman.

Dan Kitwood/Getty
Show Hide image

I believe only Yvette Cooper has the breadth of support to beat Jeremy Corbyn

All the recent polling suggests Andy Burnham is losing more votes than anyone else to Jeremy Corbyn, says Diana Johnson MP.

Tom Blenkinsop MP on the New Statesman website today says he is giving his second preference to Andy Burnham as he thinks that Andy has the best chance of beating Jeremy.

This is on the basis that if Yvette goes out first all her second preferences will swing behind Andy, whereas if Andy goes out first then his second preferences, due to the broad alliance he has created behind his campaign, will all or largely switch to the other male candidate, Jeremy.

Let's take a deep breath and try and think through what will be the effect of preferential voting in the Labour leadership.

First of all, it is very difficult to know how second preferences will switch. From my telephone canvassing there is some rather interesting voting going on, but I don't accept that Tom’s analysis is correct. I have certainly picked up growing support for Yvette in recent weeks.

In fact you can argue the reverse of Tom’s analysis is true – Andy has moved further away from the centre and, as a result, his pitch to those like Tom who are supporting Liz first is now narrower. As a result, Yvette is more likely to pick up those second preferences.

Stats from the Yvette For Labour team show Yvette picking up the majority of second preferences from all candidates – from the Progress wing supporting Liz to the softer left fans of Jeremy – and Andy's supporters too. Their figures show many undecideds opting for Yvette as their first preference, as well as others choosing to switch their first preference to Yvette from one of the other candidates. It's for this reason I still believe only Yvette has the breadth of support to beat Jeremy and then to go on to win in 2020.

It's interesting that Andy has not been willing to make it clear that second preferences should go to Yvette or Liz. Yvette has been very clear that she would encourage second preferences to be for Andy or Liz.

Having watched Andy on Sky's Murnaghan show this morning, he categorically states that Labour will not get beyond first base with the electorate at a general election if we are not economically credible and that fundamentally Jeremy's economic plans do not add up. So, I am unsure why Andy is so unwilling to be clear on second preferences.

All the recent polling suggests Andy is losing more votes than anyone else to Jeremy. He trails fourth in London – where a huge proportion of our electorate is based.

So I would urge Tom to reflect more widely on who is best placed to provide the strongest opposition to the Tories, appeal to the widest group of voters and reach out to the communities we need to win back. I believe that this has to be Yvette.

The Newsnight focus group a few days ago showed that Yvette is best placed to win back those former Labour voters we will need in 2020.

Labour will pay a massive price if we ignore this.

Diana Johnson is the Labour MP for Hull North.