Bill Buchanan: Bug should not shake confidence in internet

The risks of the Heartbleed bug are still relatively low. Picture: IAN RUTHERFORD
The risks of the Heartbleed bug are still relatively low. Picture: IAN RUTHERFORD
Have your say

In all of our daily lives we are increasingly dependent on the internet, and we hope that the systems we are using are secure.

The good news is that in most cases the locks put in place are secure, and are open to constant review from experts around the world.

They include the secure socket layer (SSL) which protects secure websites, such as when we log into our bank account – you see the little padlock in the browser URL window as you connect. These communications use a unique encryption key for every connection, and it is almost uncrackable.

The bad news: what we can’t guard against is bad programming practices within the implementation of these digital rules, and that is what’s happened with Heartbleed.

A major vulnerability was made public in the SSL software, which powers encryption across about two-thirds of the internet. It’s this vulnerability that’s become known as the Heartbleed bug, as hackers have sought to test and exploit it before system administrators could upload new patches to secure their systems.

However, there is no need to panic.

Heartbleed is pretty unlikely to reveal your username and password to online fraudsters but it will definitely release some, as we’re now beginning to see with the stories about Mumsnet and Canada’s tax agency reporting breaches. And there will undoubtedly be more.

The risks to individuals are, nonetheless, still relatively low, and you would have to be fairly unlucky for your password and personal data to be accessed. Moreover, if your providers are using a Microsoft-enabled site then you are entirely safe, as the Heartbleed issue is associated with encryption software built on a different operating system.

Companies in the United States are also obliged to alert their customers to any data breach, although in Europe there’s no such law at the moment. That said, your provider, whether a bank or Mumsnet, will typically tell you if there’s been a problem or not.

So you shouldn’t really change your password if you’re using a server that isn’t vulnerable, or if the system hasn’t been patched yet. We can be confident about our money being safe, too.

In Scotland, our considerable finance industry has been getting better and better at security, and are quite proactive in ensuring their systems are secure.

More generally, there is a worry that a company’s private encryption key – essentially the front door key to their online presence – could be leaked onto the internet, allowing criminals to find private information by pretending to be another business.

If this happened, we couldn’t trust that we’d be able to safely access a secure website, something that would affect many more of us.

What’s certain is that Heartbleed is going to prove very costly for a lot of companies, who are having to search all of their servers to identify any instances of their vulnerability to the flaw hackers have exploited.

It has shown how shaky our software infrastructure can be if the programming goes wrong, and how important it is for organisations to test their software for potential weak points.

• Professor Bill Buchanan is from the School of Computing at Edinburgh Napier University