So here’s some sort-of good news: Cybercriminals might be just as freaked out about the Heartbleed bug as the rest of us. Trend Micro analyst J.D. Sherry writes that revelations about the gaping hole in the Open SSL, the security protocol used to encrypt web traffic, have caused “shell shock in the Deep Web as many of the hidden services within the TOR (The Onion Router) are impacted as well.”
Why is Heartbleed so potentially thorny for people who use Tor? Well consider what makes Tor so popular for criminals in the first place: It keeps your online activity anonymous by routing your traffic through several different servers before sending it through to your computer. However, the anonymity of your communications can become compromised if someone gets access to your user name and password for websites where you conduct illicit activities.
This is where Heartbleed comes in: One big danger with the bug is that it may allow hackers to steal the security certificates of Google, Facebook, Yahoo and other websites, which they can then use to create fake versions of those sites where unsuspecting users will hand over their user names and passwords. As Trend Micro notes, it wouldn’t be at all surprising to see law enforcement officials trying to take advantage of Heartbleed to try to steal the security certificates from some of the websites frequented by criminals online.
“You can rest assured that law enforcement will be scanning potential ecosystems that are potential anonymous criminal networks,” writes Sherry. “This will be an attempt to discern if they might be able shine a bright lens on communities thought to be untraceable but now equally vulnerable due to this pervasive bug in OpenSSL.”