BOSTON, April 9 Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" Internet threat that exposes data to hackers, at least not until vulnerable websites take steps to secure their communications.
The Heartbleed bug in widely used web encryption technology known as OpenSSL affects software on servers that host websites. That software is not used on personal computers or mobile devices, so even though the bug exposes passwords and other data entered on those devices to hackers, it must be fixed by website operators.
"There is nothing users can do to fix their computers. They have to rely on the administrators of the websites they use," said Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki.
The bug has potential to affect users of some of the world's biggest websites because OpenSSL is used on about two-thirds of all web servers and has gone unnoticed for about two years. It could lead to the theft of passwords, confidential communications, credit card numbers and other confidential data.
"On a scale of 1 to 11, it's about an 11," well-known cryptologist Bruce Schneier said of the severity of the bug, speaking on the sidelines of the Source Security conference where he spoke on surveillance and security issues. "It's easy to do, it's so damaging and it leaves no trace."
It is possible that hackers stole the keys that encrypt traffic as it travels between web servers and Internet users, though researchers have yet to any evidence that actually happened, said Schneier, chief technology officer of Co3 Systems Inc.
He called on Internet firms to revoke the certificates and keys used to encrypt Internet traffic with web browsers including Firefox, Microsoft Corp's Internet Explorer and Google Inc's Chrome.
Once they do that, they should upgrade to a new version of OpenSSL that is not vulnerable to the bug, create new certificates and keys, then advise their users to change passwords, which may have been stolen by hackers, Schneier said.
Yahoo Inc and Facebook Inc told Reuters on Tuesday that they use OpenSSL and have already taken steps to mitigate any impact to their users, though it was not immediately clear if they had followed all of the steps recommended by Schneier.
The finding of the Heartbleed vulnerability, by researchers with Google and Codenomicon, a small security firm, prompted the U.S. Department of Homeland Security to advise businesses on Tuesday to review servers to see if they were using vulnerable versions of OpenSSL.
Hypponen said computer users could immediately change passwords on accounts, but they would have to do so again if their operators notify them that they are vulnerable and once they have followed steps to clean up the mess.
"Take care of the passwords that are very important to you," he said. "Maybe change them now, maybe change them in a week. And if you are worried about your credit cards, check your credit card bills very closely." (Reporting by Jim Finkle; Editing by Leslie Adler)