Once more out of the ether I emerge…and with a new theme, nonetheless. More on that later.
There’s been a lot of talk (and some panic) about this whole Heartbleed thing in the past few days. Since most folks that I know are not going to be familiar with what OpenSSL is, or care to learn, I decided to put together a quick “How does this affect me” guide to what this thing actually is, and what you need to do.
What is Heartbleed?
So, imagine that you buy a nice new set of windows for your house, with really secure locks. These windows are great, and the fact that you have them makes you feel more secure. Until the manufacturer reveals that they’ve just discovered a flaw in their design, that’s been there the whole time they’ve been making their windows. This flaw potentially allows someone to bypass or disable those locks…if they know how.
That’s Heartbleed – something called OpenSSL is the “window” and someone’s discovered a flaw that’s been there for a while. It’s not a virus, but a defect.
How bad is Heartbleed?
Heartbleed basically allows someone with the proper knowhow to eavesdrop on (and steal) information that was theoretically being passed securely via SSL (the green padlock).
This is potentially very bad. Potentially.
So the bad guys found this flaw?
No. There are plenty of people (“ethical hackers”, or “white hat hackers”) who try to find system vulnerabilities before the bad guys do. Heartbleed was found by some of these folks proactively. There hasn’t yet been any confirmation that anyone’s data has been stolen via Heartbleed.
But still, I should panic, right?
Not quite. Why? Well, SSL is used on sites that are collecting personal data (such as login information, credit card numbers, etc.) – the “green padlock” shows up in the URL bar on most browsers:
HOWEVER, OpenSSL is only one kind of SSL out there. This does not mean that all green-padlock sites are now compromised.
So, what exactly IS affected?
Only sites that used OpenSSL to generate their SSL certificates. But who’s that, you ask?
That’s a good question, and many folks are putting together lists online of sites that were using OpenSSL, and were therefore exposed to this vulnerability. Since Heartbleed was discovered, many places have patched the hole.
A couple of these lists are here:
An important note: most banking sites out there (the holy grail for hackers) use their own “brand” of SSL – and are therefore not vulnerable. Check anyway, but you shouldn’t have anything to worry about there.
So…what do I do?
As it says on the cover of the Hitchhiker’s Guide to the Galaxy, “Don’t Panic.” There are two things you should do; one is reactive and one is proactive.
Reactive – visit the lists above, and if any of them recommend changing your password, do it now.
Proactive – download and use Google Chrome as your browser. Then, download the Chromebleed plugin so that it can monitor your browsing and alert you if a site you’re visiting is vulnerable to Heartbleed. If it is, don’t use the site.
That’s really the minimum that you should know about Heartbleed to be an “informed citizen.” This does sound a bit like Y2K in terms of hype, and people not really truly understanding the nature of the thing.
It is serious, there’s no doubt. It’s possible that hackers have known about and exploited this for a while now. But it’s also possible that nobody found it before the good guys, and that patches will be rolled out quickly enough to prevent anything serious from happening.
If you want to learn more about Heartbleed, visit http://heartbleed.com/, or simply do a search on Google (or Twitter #heartbleed).
Hope this has been helpful!