Heartbleed is a current hot topic on the internet and like most people, you may be wondering why you are getting such a scary named email from your favorite services providers. In this post I’m going to demystify this hot topic, talk about how it relates you and why you should pay close attention in the coming weeks.
What is Heartbleed?
Heartbleed is a severe security hole in internet security that affects the HTTP servers which host websites. In fact this is a bug in OpenSSL – a widely used open source software package used to manage security certification and encryption between servers and internet clients. The bad news is that this bug has affected even major sites like Google, Facebook, Twitter etc.
The Heartbleed bug is found in the implementation of the Transport Layer Security (TLS) protocol. Part of this protocol, which is known as ‘Heart beat extension’ is used to create a handshake between a client and a server as they initiate encrypted communication.
It is important to mention at this point that Heartbleed is not an architectural issue – it is something that happend due to some bad code being introduced in the OpenSSL verison 1.0.1. Heartbleed is now fixed in OpenSSL version 1.0.1g.
Potential risks of Heartbleed and how it can hurt you?
Heartbleed allows both protected data and memory leaks through servers. The biggest issue currently is that it’s hard to know or track what information has been stolen through the Heartbleed bug already. This is the main reason that you need to worry about Heartbleed – it can possibly have caused highly sensitive data to be leaked through from the server memory. What type of sensitive data?
- Digital security certificates that manage encryption.
- Authentication credentials like username, email and passwords.
- Protected contents – As the credentials are exposed your protected content is also exposed.
- Memory addresses – This is the least vulnerable issue that lasted for short time period. This can be fixed by restarting your server.
What can be affected by Heartbleed?
Heartbleed affects all HTTP servers that use OpenSSL. Meaning that it will affect web based email clients, other web protocols like FTP as well as devices that connect to servers such as computers, tablets and mobile phones.
How to protect against Heartbleed?
Website owners
If you are a site owner and use OpenSSL encryption then you need to check whether your server has a potential risk of Heartbleed. You can use this SSL testing tool to find out. Also, as I mentioned above, if you have an OpenSSL version between 1.0.1 – 1.0.1f, you need to update to at least version 1.0.1g or preferably to the lastest version as soon as you can to prevent future data leaks.
Web consumers
If you are a web consumer you may think that you don’t have to worry about Heartbleed. Wrong. As I mentioned above, your information maybe have leaked via major sites like Facebook, Twitter, your financial institutions, your domain registrars, hosting providers etc.
I can feel your tension building…but don’t panic, all companies are working hard to address this issue in their servers. All you will need to do is to keep an eye on your inbox. The majority of companies will send out email notifications once they have fixed the bug. When you receive this notification make sure to go to their website and change your old password!
If you not already using a password manager, I think it’s the right time to start. I no longer remember any of my passwords (as they are very strong and managed by my password managers) and even if I show them to you it’ll take couple of hours for you to remember. There are plenty of password management options available and it’s not practical to list all of them here however, I will list 3 password managers that I have used in the past and that I currently use personally.
- Lastpass – A fantastic FREE password manager which allows you to even share your credentials with your colleagues without exposing them. If you want to sync passwords in all of your devices like tablets and mobiles, then you will need to consider buying the premium service, which is quite cheap for what you are paying for at just /year. The beauty of Lastpass is that you can even use it on another machine simply by installing the Lastpass browser extension.
- 1Password – I use both Lastpass and 1Password. 1Password is a device based password manager and is available for Mac, Windows, iPhone and iPad. It’s a beautifully designed software and I use it to keep sensitive information which I’m not keeping in the cloud.
- Roboform – This is probably the earliest password manager I came across. I used them for around 4 years before moving to other options, but they are still a good player in the market.
Lastly, you’ll need to consider 2-step verification if any of your service providers support that. At first you will think that this is a tedious process, but it’s worth the effort. Here are some of the popular services that support 2-step verification.
Did Heartbleed affected you? Share you thoughts in the comments.
Further readings:
Photo courtesy: www.zdnet.com