Bleeding hearts

This morning’s Observer column:

Were you a thriller writer seeking a name for an apocalyptic software security flaw that threatened the future of civilisation as we know it, then “Heartbleed” would be hard to beat. Last week saw the discovery of such a flaw, and Heartbleed was the name assigned to it.

Most security flaws are of interest only to specialists, but this one was different. Why? Because it’s been around for something like three years, during which time it could have exposed the passwords and credit card numbers that countless millions of people had provided to online stores and other services. Heartbleed would enable attackers to eavesdrop on online communications, steal data directly from services and users, and impersonate both services and users. It could have affected up to two-thirds of the world’s internet servers. And unlike some earlier such problems, the solution isn’t as simple as immediately changing one’s password. It was, said Bruce Schneier, a security expert not much given to hyperbole, a “catastrophic” flaw. “On the scale of one to 10,” he wrote, “this is an 11.”