Heartbleed has been all over the news recently, and deservedly so, but there's a good amount of confusion among average web users as to what it means to them. Did it affect my bank? Do you need to change every password? Do you need to buy a new computer? Most likely, the answer to all of those is no. Here's a basic rundown of what Heartbleed is (and isn't), and what you should know about it.
Heartbleed is a vulnerability in a common piece of encryption software called OpenSSL. In plain English, when you log onto a secure website, say Yahoo mail or Facebook, in the top of your browser window to the left of the URL, you see a little icon of a closed padlock. That shows that the connection is secure. For your browser to communicate safely with the website's server, there is a standard set of steps that need to be taken on both ends to maintain that secure connection. While the connection is maintained, each side sends a little blip of data, a "heartbeat", back and forth. Your browser sends information, and the server basically repeats it back, a regular heartbeat means the connection is still alive.
Heartbleed basically allows a third party to get more information than it sent to the server. The server, not realizing that it's giving back more than it receives, sends back whatever happens to be in its memory at the time. Most often there is nothing intelligible there, but if the third party tries often enough, they may eventually retrieve items like login names, passwords, secure certificates and more.
Though it leads to data theft, Heartbleed is not a virus, your computer isn't infected, and a virus scanner won't let you know if your data has been exposed (unfortunately, nobody has any way of knowing what data has been exposed, which is why it's so scary). Heartbleed can affect websites, online services, and network servers, as well as all of the devices that connect to them (servers, computers and laptops, tablets, smartphones, etc.), but it can't infect them. Though the iOS and Android operating systems were not affected, apps you run on your phone could be vulnerable.
The vulnerable code was in a version of OpenSSL from two years ago, so technically within that timespan it could have been used to obtain information including login names, passwords, credit card information and more. At the same time, that doesn't mean that hackers and all sorts of nefarious webgoers have known about this for two years. It's not completely impossible that the security researchers who discovered Heartbleed were the first to find it, leaving open a relatively small window of time for the weakness to be exploited (an updated version of OpenSSL that fixes the vulnerability has since been released).
That said, that ideal scenario is not especially likely. Though you don't need to panic and change all your passwords, you should err on the side of safety. If any service you use has contacted you directly to tell you to change your password (Tumblr, for example, has emailed all users), by all means do it! You should also update your password for other sites and services that were vulnerable: The list of high-traffic sites in this category include Google, Facebook, Yahoo!, Pinterest, Instagram, Netflix, Etsy, and GoDaddy. If you save your passwords in LastPass, you should check their site for instructions on the information they've stored for you. If you really want to go the extra mile, you could enable two-factor security (where there's an extra step besides entering your password) on any site or service you use that offers it.
At this point, most services have patched the vulnerability; stopping Heartbleed. Sites that never used OpenSSL in the first place are safe. These include many major banks (JPMorgan Chase, Wells Fargo, Bank of America, Capital One, for example), as well as many high-traffic ecommerce sites like PayPal, Amazon, eBay, and Target. Aren't sure about a website or service? You can run it through the Qualys SSL Server Test (www.ssllabs.com/ssltest/) to find out whether the vulnerability has been patched. And if you have a website (especially if you offer any kind of ecommerce), or if you have network connections to your workplace like a VPN, definitely run them through the test. Make sure you get the patch, and let your customers know they should update their passwords. Even though we can't know what data was exposed, we can make sure we're safe from Heartbleed now.
Tweddell can be reached at [email protected]
Heartbleed is a vulnerability in a common piece of encryption software called OpenSSL. In plain English, when you log onto a secure website, say Yahoo mail or Facebook, in the top of your browser window to the left of the URL, you see a little icon of a closed padlock. That shows that the connection is secure. For your browser to communicate safely with the website's server, there is a standard set of steps that need to be taken on both ends to maintain that secure connection. While the connection is maintained, each side sends a little blip of data, a "heartbeat", back and forth. Your browser sends information, and the server basically repeats it back, a regular heartbeat means the connection is still alive.
Heartbleed basically allows a third party to get more information than it sent to the server. The server, not realizing that it's giving back more than it receives, sends back whatever happens to be in its memory at the time. Most often there is nothing intelligible there, but if the third party tries often enough, they may eventually retrieve items like login names, passwords, secure certificates and more.
Though it leads to data theft, Heartbleed is not a virus, your computer isn't infected, and a virus scanner won't let you know if your data has been exposed (unfortunately, nobody has any way of knowing what data has been exposed, which is why it's so scary). Heartbleed can affect websites, online services, and network servers, as well as all of the devices that connect to them (servers, computers and laptops, tablets, smartphones, etc.), but it can't infect them. Though the iOS and Android operating systems were not affected, apps you run on your phone could be vulnerable.
The vulnerable code was in a version of OpenSSL from two years ago, so technically within that timespan it could have been used to obtain information including login names, passwords, credit card information and more. At the same time, that doesn't mean that hackers and all sorts of nefarious webgoers have known about this for two years. It's not completely impossible that the security researchers who discovered Heartbleed were the first to find it, leaving open a relatively small window of time for the weakness to be exploited (an updated version of OpenSSL that fixes the vulnerability has since been released).
That said, that ideal scenario is not especially likely. Though you don't need to panic and change all your passwords, you should err on the side of safety. If any service you use has contacted you directly to tell you to change your password (Tumblr, for example, has emailed all users), by all means do it! You should also update your password for other sites and services that were vulnerable: The list of high-traffic sites in this category include Google, Facebook, Yahoo!, Pinterest, Instagram, Netflix, Etsy, and GoDaddy. If you save your passwords in LastPass, you should check their site for instructions on the information they've stored for you. If you really want to go the extra mile, you could enable two-factor security (where there's an extra step besides entering your password) on any site or service you use that offers it.
At this point, most services have patched the vulnerability; stopping Heartbleed. Sites that never used OpenSSL in the first place are safe. These include many major banks (JPMorgan Chase, Wells Fargo, Bank of America, Capital One, for example), as well as many high-traffic ecommerce sites like PayPal, Amazon, eBay, and Target. Aren't sure about a website or service? You can run it through the Qualys SSL Server Test (www.ssllabs.com/ssltest/) to find out whether the vulnerability has been patched. And if you have a website (especially if you offer any kind of ecommerce), or if you have network connections to your workplace like a VPN, definitely run them through the test. Make sure you get the patch, and let your customers know they should update their passwords. Even though we can't know what data was exposed, we can make sure we're safe from Heartbleed now.
Tweddell can be reached at [email protected]