Thanks to bug, it's time for serious computer safeguards

Say you're sitting in a coffee shop, and pull out your laptop or tablet to check your Web mail or bank balance. Fleetingly, you may wonder just how secure these things are. But then you're reassured by a Web address that begins with "https" and displays a comforting icon: a padlock.

We learned last week that we were a little too comforted by those symbols of security - each signs that a website uses a protocol known as SSL, in which the first S stands for secure. For two years - ever since a German engineer updated a section of code on New Year's Eve 2011 - a widely used version, OpenSSL, has been anything but secure, thanks to a bug nicknamed Heartbleed.

Since Heartbleed was disclosed last week, the Internet has been flashing red with warnings calling it a "disaster" or a "catastrophe" - an 11 "on the scale of 1 to 10," as one expert put it. Matt Blaze, a leading cryptography researcher at the University of Pennsylvania, tweeted that Heartbleed was a rare bug because it "leaks data beyond what it's protecting" - worse, he said, than having no cryptography at all.

Heartbleed raises troubling questions more easily asked than answered, but worth considering. Still, your first focus should be on how to protect yourself from Heartbleed harm.

What happened?

Back at the coffee shop, if all goes well, your private communications - log-ins, passwords, e-mails, everything you hope to keep to yourself - travel a path largely mysterious to those not versed in Internet protocols. The main thing we rely on, though, is a form of end-to-end encryption of the type supposedly ensured by OpenSSL.

In essence, the characters you type are scrambled before they hit the shop's WiFi router, travel in data packets across the net, and reach, say, Google's servers. With an encryption key, they're then unscrambled at the other end. Encryption is what protects against "man-in-the-middle attacks," where your typing can be intercepted and decoded by a hacker, thief, or spy.

Heartbleed is named for a feature called Heartbeat, added to OpenSSL in December 2011. It was designed to keep the virtual circuit open between you and Google while you sip your latte, by periodically exchanging a key message: the "heartbeat."

The errant engineer accidentally omitted a crucial verification step in that back-and-forth communication. Rather than simply keeping your virtual circuit open, the bug enables a ne'er-do-well to trick a Web server out of not just the characters you type, but also out of other data stored on it.

If it's a Web commerce or financial site, that could include your account numbers and passwords. It could also enable a hacker to steal a server's private encryption key - a crucial element of the whole process. If that happens, everything on that server could be vulnerable.

Has that happened? So far, word of actual damage has been limited. But no one wants to admit this sort of breach, and it's not even clear such breaches can be traced.

What you should do

This may sound like advice you've heard before, and perhaps even ignored. If so, it's time to take it more seriously:

Limit your exposure. Until a website you rely on informs you that it has fixed a Heartbleed vulnerability, or assures you that it never had one because it didn't rely on the problem version of OpenSSL, consider every Web transaction a risky one.

Change, and mix up, your passwords. Try this trick for a hard-to-crack password: String together first letters from a long sentence, and replace some with numerals and symbols.

Stay vigilant. Watch all your accounts, and your credit reports, for signs of anything wrong.

Why did this happen?

Human fallibility is, well, human. But there are some bigger lessons to consider.

One is the risk of over-relying on code written by poorly funded volunteers. A foundation that supports OpenSSL says it had a 2013 budget under $1 million.

Another is the risk of "monoculture," a lack of diversity in the tech ecosystem analogous to what once made Ireland vulnerable to the potato famine.

The sheer number of sites using OpenSSL should be enough to make us all bleed a bit - in our complacency if not our data.