Technology & Science

The Heartbleed bug dilemma: Disclosing a web problem also means alerting hackers

The Heartbleed software bug is not only one of the most serious online security breaches in recent memory, it has demonstrated how difficult it is for websites to tell their customers whether they’re at risk or not.

'Some sites have handled it better than others'

Heartbleed is a bug in the code used for making communications secure on more than two-thirds of active websites on the internet, as well as email and chat servers and virtual private networks.

The Heartbleed software bug is not only one of the most serious online security breaches in recent memory, it has also demonstrated how difficult it is for websites to tell their customers whether they’re at risk or not.

The Heartbleed revelation "happened very rapidly, and it happened on such a big scale, that some sites have handled it better than others," says Eric Skinner, vice-president of market strategy for the Tokyo-based internet security firm Trend Micro.

"This is a classic problem with computer security vulnerabilities, which is: When do you disclose? How do you disclose?" he says. "Because when you disclose, you’re obviously giving people an opportunity to fix the problem, but you’re also providing hackers with an opportunity to exploit the problem."

The Heartbleed bug was revealed on April 7 by Google and Finnish security firm Codenomicon, and affects OpenSSL, a software program used to encrypt Internet communications. It has been estimated that two-thirds of web servers were vulnerable.

In a blog post about the significance of the bug, noted cryptography expert Bruce Schneier wrote: "On the scale of 1 to 10, this is an 11."

Security researchers say the breach allows hackers to access small bits of information at a time that could lead to personal and financial information stored on a website and steal that without leaving a trace. The Heartbleed breach is particularly risky for sites that handle e-commerce or personal information, including passwords.

While the Canadian Bankers Association released a statement saying Heartbleed did not affect Canadian banking sites, the website of the Canadian Revenue Agency (CRA) was compromised. CRA has announced that it may not accept online tax filings until the weekend.

In the wake of the Heartbleed discovery, there has been confusion among consumers about what they should be doing, including whether they should be altering their passwords.

A lot of the confusion arises from the fact that not all sites have been equally transparent about the breach, says Skinner.

When to disclose?

Stu Sjouwerman, president and founder of the U.S. anti-virus firm, believes many smaller website operators haven’t even got the security apparatus to fully assess the problem.

"Most small businesses have no idea what this is all about," Sjouwerman says. They’re largely in the dark about the more technical aspects of the internet, and as a result "most of them have said nothing" to their customers.

The Heartbleed bug exploits a vulnerability in a version of the OpenSSL security software code that is installed on two-thirds of the active servers connected to the internet. (Sean Gallup/Getty)

As for higher-traffic sites, the response has varied. According to a list compiled by, Amazon said it wasn’t affected by the breach, while AOL said it was not running that version of the OpenSSL software. It took Apple almost three days before issuing a statement Thursday that none of its mobile, desktop or web services would be affected by the Heartbleed bug.

Part of the problem in determining what might be affected is that Heartbleed enables a hacker to sneak in and access data without leaving a trail. So it’s hard to figure out whether a site has been compromised, says David Fewer, director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

"The nature of the vulnerability here is you don’t know if there’s a breach or not," he says. 

Fewer says some larger sites, such as Facebook and cloud services provider Akamai Technologies, were at an advantage because they received advance notice about Heartbleed from Open SSL Foundation — the group that developed the open-source version of SSL — before the problem was made public.

Google, for example, made its statement after patching its vulnerabilities. In a statement released Apr. 9, Google said, “We fixed this bug early and Google users do not need to change their passwords.”

Sjouwerman says that every company has its own policy when it comes to disclosing data breaches. "There is no internet etiquette related to these types of incidents."

The Canadian government, however, is in the process of introducing a bill that would levy heavy fines on companies that do not report data breaches. 

Breach protocol loosely defined

Fewer says that the way the “breach protocol” usually works is that the security researcher who found the vulnerability notifies the affected company so it has an opportunity to find a safeguard before telling its customers.

"So you don’t just come [to your customers] with a problem, you come with a solution," he says. "And also, so you don’t tip your hand to the bad guys."

The problem with Heartbleed, however, was that it was a widespread vulnerability, and Fewer says getting all of the affected sites to work in concert is near impossible.

"You can’t realistically coordinate all these vendors and sites to update their software before the disclosure," he says. In this instance, broad disclosure was appropriate, "but that does unfortunately create a window of vulnerability. But it’s the only way to get all the sites to do something about it."

David Lewis, a global security advocate for Akamai Technologies, believes that being up front with consumers is always the best policy.

It’s "in the best interest of that company to get ahead of the spin and talk to their customers and say, ‘This is what happened, this is how we’re fixing it, and this is why it won’t be a problem next time’ – or why there won’t be a next time," he says.

"It just fosters a good relationship with the customer base."


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.