Heartbleed is a big topic in the news lately — both the tech news and the mainstream news. What’s all the fuss about? So, there’s a bug in some code somewhere, how does that affect me?
Let’s take a look at the feature of one type of widely-used SSL code that’s been turned into a security headache for possibly millions of people around the world. We’ll next explore what it could mean to you and what you can do to protect yourself.
It All Stems from the Heartbeat Code in OpenSSL
SSL stands for Secure Sockets layer. Basically, it’s the main building block of all secure Internet traffic. It puts the “s” in “https” which stands for HyperText Transport Protocol (Secure). HTTP is the basic protocol/technology that drives the Web. When SSL is invoked, a secure connection is established between the client (you) and the server using SSL, and lately, mostly using OpenSSL. It’s run on the vast majority of Internet/Web servers these days.
Heartbeat is a functionality built into the OpenSSL version of SSL. What it does is to allow a client to open a connection with a server using a certain type of request, and that connection will remain open. The vulnerability that is Heartbleed allows that person to then start reading the traffic on the server. Not just traffic they initiate, but traffic that anyone initiates. The vulnerability allows them to read bits and pieces of active memory as they are being read into and out of. If you want to read about all the technical gobbledygook, you can do so at the Cisco site and the Dark Reading Daily site.
What Does This Mean for You?
The bluntly honest answer to that question is that except for the security precautions you should take that we’ll discuss later, the answer can range from absolutely nothing to personal financial catastrophe. What this means is that it all depends on what sites you use were vulnerable and which out of those were attacked. Unless and until something happens, unlike most other software security flaws, there are limited tools that can be used to determine if and when a breach occurred and what if anything was released during that breach.
If a site that you use used OpenSSL and also used the default configuration for OpenSSL, it was vulnerable to the Heartbleed attack. If that vulnerability was exploited while you were processing transactions (tech parlance for “doing things”) on the server, there is a good chance that your name and password and/or other identifying information could have been exposed. As an example of sites that use OpenSSL, take a look at the Yahoo! and Microsoft empires. This list also includes commercial sites and banking sites. If the website has security of any sort, it all starts with SSL. Imagine a bank vault with a screen door built into the main security door.
How Do You Protect Yourself from Heartbleed?
Some out there might tell you that all you need to do to protect yourself from the Heartbleed vulnerability is to change your passwords and that’s it. Well, that’s not it. That barely scratches the surface. Here’s my suggested “to do list”:
- If I share personal information with the site, and especially financial information with them, I email them asking if they have implemented an available patch for their implementation of OpenSSL, such as Fixed OpenSSL.
- Find out if they have updated their certificates with a reputable certificate authority such as CA.
- Stay away from sites that have information I don’t want getting around to the wrong people for the next few days, if possible.
- Change your passwords to something with strong security, meaning that it makes use of upper- and lowercase letters, numbers, and symbols (*&%#). Use a different password for every site. I keep a password file in an encrypted folder to help me remember them all. Do this once you have verified the above.
- Check with the maker of your modem or router to see if they have put out an update to the firmware for your device.
- Use two-factor authentication whenever possible.
- Clear history, cache and cookies from your browser’s memory.
Amazon.com looks relatively safe to use.
There’s also a test site available that allows you to see if a certain site is vulnerable. The screenshot above is from this site. In the screenshot, you can see the IP addresses registered to the domain that were checked, the domain names associated, and the letter grade assigned. As you can see, Amazon receives a “B” letter grade.
This is an issue we’re going to be hearing about for quite some time. The main reason for that is that there are currently thousands of devices that are affected by Heartbleed, but are unsold or sitting in warehouses somewhere and are not being used.