For those who have never seen the term Heartbleed before, it is not the latest medical scare to follow SARS, Ebola and Bird-flu. In fact, its nothing medical at all. For those with an eye on the technology news, you may have seen all kinds of mis-reporting and scare stories.
So what is Heartbleed and what can you do to survive it?
First of all, the Heartbleed SSL vulnerability is a computer security crack – and NOT a virus.
Heartbleed is a vulnerability in web-servers running the authentication software OpenSSL. This is the non-proprietary version of Secure Sockets Layer, the open source implementation of SSL and TLS, the protocols used for secure connections – look for web addresses beginning https://, not http://.
Heartbleed is a hole in the protocol that allows crackers (note, not hackers) to circumvent the very SSL encryption that makes SSL sessions secure. This puts a lot of personal and financial information potentially at risk across email, social networking, shopping and gambling sites (to list a few).
Confirmed April 7th 2014, Heartbleed affected all versions of OpenSSL (all except 1.0.1g, if you must), but not any other SSL and TLS libraries. As an Internet-based vulnerability, Heartbleed potentially affects users of all operating systems across desktop and mobile.
Software patches were quickly released to close the loophole, but of course, these need to be applied to the web-servers running OpenSSL.
So what do you do about it?
- Don’t Panic. The media loves a good Internet scare story, so they ran wild with Heartbleed.
- Yes, it is potentially serious. Your personal data could be at risk.
- No, large-scale exploits have not occurred as have widely been reported.
- Yes, it is good idea to change your passwords on sites that authenticate with Open SSL
- How do you know which sites are affected?
- Look for a blog-post or site-admin’s notification concerning Heartbleed; this could be a user forum post, latest news, a technical support post.
- If you don’t find anything, contact the site admins and ask for their comment and action plan in respect of Heartbleed. Many sites don’t use the affected SSL libraries. Competent site administrators will already have applied the patches.
- Pro-active sites that have been affected by Heartbleed will send you an email to let you know that they have patched the vulnerability and recommend that you change your password.
- Do be aware of the Phishing Risk in which fake emails arrive with embedded links to a fake “change password” set-up by scammers to harvest your details.
- Only use the site’s native log-on and profile pages to reset passwords. Do not use embedded password reset links.
- Do not rush to change ALL your passwords immediately. Change passwords for those affected sites at risk, and any sites on which you have a common password. This common password shared across several sites we all know to be bad practice. Stop doing it.
- Change your passwords on a site-by-site basis when you know they have been patched and the vulnerability closed.
- By now, April 22, all the major social, banking and mailbox sites have been patched.
- For the remainder of smaller sites, there are search tools available which will tell you whether or not the site has been patched.
- For the Google Chrome browser, the Chromebleed Checker extension will do the same thing.
- If the sites you use are affected and have not yet patched the Heartbleed vulnerability, avoid logging in until you know it is safe so to do.
Be careful out there. AJS
Image credit: Bleeding Hearts: Street Art on Maybachufer – Artist Unknown from a page by David Yates