Demystifying Heartbleed

First of all, although it sounds a bit bizarre, people shouldn't simply change their passwords automatically. This should only be done once you know that an online provider has patched the OpenSSL library and regenerated their digital certificates.
|

You probably have seen and heard a lot about the 'Heartbleed' bug on Internet, television, radio and social media recently, but if you're a bit confused about what it really means for you as an individual, don't worry, I am going to attempt to demystify this particularly nasty bug within this blog.

The impact of the 'Heartbleed' vulnerability is potentially very far-reaching. OpenSSL is widely-used to secure Internet-based communications, including web, e-mail, instant messaging and Virtual Private Networks (VPN). If exploited, this vulnerability would allow an attacker to read the memory of vulnerable systems and intercept sensitive information - including, but not limited to, usernames and passwords.

The onus is on providers of online services, network appliances and products that make use of the OpenSSL library to ensure that they have applied the fix, thereby ensuring secure communications - but what can you do if you're a consumer?

First of all, although it sounds a bit bizarre, people shouldn't simply change their passwords automatically. This should only be done once you know that an online provider has patched the OpenSSL library and regenerated their digital certificates. If you change your password before they do this, then your new password could be compromised too. With this in mind, you should first check that providers of the sites you use (online stores, social networks, etc.) have applied the fix. If they have, change your password; if they haven't, wait until you know that they have.

You can start ensuring the security of your information by following the below steps:

  1. Check to see if it was initially vulnerable by looking through this list of sites https://github.com/musalbas/heartbleed-masstest/blob/94cd9b6426311f0d20539e696496ed3d7bdd2a94/top1000.txt. Alternatively, you could contact the provider to ask them.
  2. If the site you're checking is listed, use this tool to check if they're still vulnerable: http://filippo.io/Heartbleed/.
  3. Also make sure the site is using a new security certificate - one issued on 8 April or later. You can find an explanation of how to do this here http://blog.kaspersky.com/heartbleed-howto/. Since 'Heartbleed' potentially leaked the private part of the digital certificate, using a new security certificate is the only way to fully trust that a secure connection can not be decrypted by any unintended party even after OpenSSL has been patched.
  4. If the site was vulnerable but has now been fixed, change the password you use to access the site. This should be done after the site has been fixed - otherwise your new password can be compromised too. If you have been using the same password on other sites (which is never a good idea!), make sure you also change your password on those sites.
  5. If a site is still vulnerable, make sure you use any two-factor authentication service it provides (i.e. a token to generate a one-time password or mobile number that can receive a secure password) but only if you really need to access the site. Keep in mind that your password could still potentially be exposed; the two-factor authentication service would simply make the password useless as the authentication procedure would require a second piece of information theoretically not available to any other person but yourself.
  6. If buying a one-off purchase on a site where you do not have an account (e.g. buying theme park tickets, concert tickets etc.), this should be fine as will not have your details on file - just be sure to check that the site is not vulnerable by following the above steps, and of course make sure it is a secure site by checking for the 's' in the address: https.

As a start, you can look at changing your password on all these sites: Facebook, Instagram, Pinterest, Tumblr, Yahoo, AWS, Box, Dropbox, Github, IFFT, Minecraft, OKCupid, SoundCloud, Wunderlist. Remember to use a unique password for each site - see my previous blog on how to create a secure password here.