There is plenty of panic to go around surrounding the announcement of a major security flaw in OpenSSL, the open-sourced version of the security connection used by most web servers to encrypt information between users, sites, and companies. Here's some basic info on "Heartbleed," and what you need to know:
1. What the heck is SSL? And should I worry whenever that lock appears in my browser? Or when I see ‘https://’?
SSL stands for “Secure Sockets Layer.” It refers to the connection between your computer and the company hosting whatever website you are currently browsing. Take a banking website, for example. Ideally, you’d want that connection to be secure against hackers being able to see the information being transmitted back and forth -- In this case, sensitive information like your social security number or your credit card numbers. Companies that have a SSL connection will encrypt any information transferred between your computer and the company.
That’s why you see the lock in the upper left-hand corner of your browser. Companies with an SSL connection have paid for an SSL Certificate, and notify their users via the lock icon. Additionally, the “s” in “https://” is another signifier of an SSL connection, and stands for “secure.”
For more information, check out this video.
In theory, this is how it should work: encryption of information on an SSL should guard against anyone gaining access and decrypting that information. Except when it doesn’t. As security experts discovered, a flaw in the open-sourced version of SSL has been a vulnerability for about two years, and could allow a hacker to get access to private information as well as the key to decryption. It’s especially problematic when considering that about 2/3 of the web-serves use OpenSSL. Cue terrifying nickname: the “Heartbleed” bug.
2. I’ve heard I shouldn’t change my passwords yet. Why not?
In simple terms, if a site is compromised, changing your password won’t do much until the company that runs the site installs a patch. A better strategy is to wait until sites have a chance to fix their “Heartbleed” woes, and then change your password. Otherwise you might simply be giving a hacker your new password.
3. Which sites are affected by “Heartbleed”?
*UPDATE: While changing your password on a website that isn't yet secure could be dangerous, many companies are now saying they have patched or updated OpenSSL flaws in their system and that users should update login information. Mashable has a good running list of sites and their status.
The developed part of Europe is perking up, but the other part of the continent is anything but steady these days, the International Monetary Fund and World Bank say.
More and more women are deciding to have double mastectomies when they are diagnosed with breast cancer. TV host Samantha Harris is just the latest. But it's not the right choice for everyone.
From the Marketplace Datebook, here's what's coming up April 10:
- In Washington, a look at the nation's balance sheet. The Treasury Department issues its monthly statement for March.
- Drone delivery is just one of the topics at the fourth annual PostalVision 2020 Conference getting underway in the nation's capital.
- Golfers tee off in Augusta, Georgia during the first round of the Masters Tournament.
- F. Scott Fitzgerald's novel "The Great Gatsby" was first published on April 10th, 1925.
- And think eloquent thoughts. April is National Poetry Month.
Before a Senate hearing on Comcast’s proposed merger with Time Warner Cable, the company dropped a lengthy memo to the Federal Communications Commission, summed up in a blog post. In part, it argued that the merger would be good for competition in broadband, since Comcast’s rivals— including telecoms like Verizon and AT&T— are so big.
Which is a different question from whether they offer broadband services that actually compete with Comcast. Andy Hargreaves, a Pacific Crest Securities analyst who looks at both TV and tech, thinks Comcast already dominates, with other companies unable to consistently offer similar speeds.
He estimates that the merged company would have the best-quality service in about 70 percent of the U.S. market. He thinks that’s a problem -- it gives the company power to keep jacking up prices. “They are exceptionally good at raising rates,” he says.
However, he doubts these questions will sink the deal. Merging the companies, he says, doesn’t actually make it much harder for a real competitor to emerge.
“It’s already near impossible,” he says. “So raising the bar from really, really, really, really, really, high to really, really, really, really, really, really, REALLY high is not that big a deal.”
David Balto, an anti-trust lawyer and a former Federal Trade Commission official, thinks the merger will likely be approved. Comcast and Time Warner haven't been competing with each other before the merger in existing markets, so consumers aren’t losing choices.
“You may not like the competitive environment,” he says, “but there are scores of mergers that the FTC and the Justice Department have approved because they could not find a loss of competition.”
Goldman Sachs executives have reportedly been toying with the idea of shutting down their dark pool, known as Sigma X.
"Dark pools" are to stock exchanges what private pools are to the Y. They are places for people to trade stocks in private, and many banks have them.
Privacy and Savings
There are benefits to having a dark pool, to be sure. Customers can trade more cheaply as they don’t pay exchange fees like they would on, say, the NYSE. For institutional investors, privacy can be critically important as well. For example, an institutional investor making a supersized buy order in the open would be noticed by sellers, who would raise the price before the order was even complete.
“Essentially, large institutional investors like this as a way of minimizing price impact and reducing trading costs,” says Craig Pirrong at the University of Houston.
Suspicion and Negative PR
However, there is also a great deal of suspicion over dark pools at the moment, as the flipside of privacy is decreased transparency. “There’s a considerable deal of regulatory uncertainty and legal uncertainty,” Pirrong says.
“Almost all dark pools work by taking prices from exchanges and filling orders based on those exchanges,” explains Larry Harris of the USC Marshall School of Business. So is it fair that a dark pool can use exchange prices, but not contribute to formation of those prices? Harris says: “And even worse, as the orders are taken away from those exchanges, the quality of the prices depreciates.”
Customers may see a conflict of interest as well.
“It might be better if people weren’t worried that I was only going to my dark pool because it was my dark pool,” says Joe Gawronsky, president of Rosenblatt Securities. It’s a bit of a PR problem.
A Liability Issue
Running a private stock exchange is no small feat. When participants’ expectations aren’t aligned with reality, or when prices in the pool become disconnected from prices on exchanges, it can be a serious liability for the entity running the pool.
“Particularly when there’s a fast moving, volatile market and the timeliness of the prices may be, for whatever reason, not appropriately reflective of the prices that were prevailing at the time,” says Andrew Karolyi, professor of finance at the Johnson School of Management at Cornell. This happened to Goldman in 2011, and the bank sent checks to cover traders who lost out as a result.
Gawronsky says firms like Goldman have alternatives. “There are other methods to get price improvement and hide your order other than using your own dark pool,” he says.
There are other entities’ dark pools, of course. There’s also IEX, an alternative trading platform designed to address what its founders argue are flaws in the structure of the U.S. equity market. Goldman has supported IEX precisely because of its commitment to transparency and market moderating effect.
Finally, for those concerned with anonymity, Gawronsky points out that Goldman and other large banks offer algorithmic trading. These are computer-based trading mechanisms that can be used to disguise movements -- breaking up a large trade into smaller trades throughout the day, for example.
When all is said and done: “I’m not sure it will materially affect Goldman’s revenues,” Gawronsky says. “You could argue they don’t have that much to lose, and what do they gain? Potentially a PR win and something that customers may applaud.”
As companies scramble to patch a bug that exposed much of the Internet for two years, you can protect yourself by practicing some good Web hygiene.