The tech news the last week has been dominated by talk of the Heartbleed bug. While many articles have been published, I wanted to take a moment to review the basic facts about Heartbleed. Once we have the fact straight, we can plan a strategy to mitigate the potential harm.
- What is Heartbleed?
Heartbleed is a flaw in OpenSSL. Open SSL is a piece of software that many websites use to provide secure, encrypted communication between the website and your web browser. The flaw was introduced – accidentally – in April 2012 and it allows people to request and receive information from the website. OpenSSL includes a feature called a heartbeat that allows your browser to request confirmation that the website is still listening and waiting for requests from you. The design of this feature is that your browser requests and receives the data it had previously sent. However, the Heartbleed bug allows browsers to request up to 64KB of data. When they do, the server sends back whatever data happens to be in the websites memory at that time. This means that the request could return sensitive data such as the username and password of a previous user of the website. It could also include the keys used to encrypt data for the website. With these keys, a hacker could set up a malicious website and use a stolen key to assume the identity of the original site. if you want more detail, see this engadget article.
- How does this affect my computer?
In the strictest sense, this does not affect your PC or Mac (unless you are running an OpenSSL server). This flaw is primarily on web servers. However, because just about every computer these days lives at least part of its life on the Internet, how the web servers are affected directly affects us.
- So what should I do?
There are a number of steps everyone should take to address these issues. First, follow good Internet security. While this is not specifically tied to the Heartbleed vulnerability, it is a good opportunity to remind ourselves of the basics.
- Use unique passwords. If you use the same password on more that one website, it becomes that much easier for attackers to figure out the password for your bank if they learn the password for your favorite chat room.
- Use random passwords. Attackers often use dictionaries to guess common passwords. So, the password MyDogRover is pretty likely to fall to a hacker while t*LL&c^05WxV is less likely to.
- Use a password manager. A good password manager will provide you with the tools to do both of the above. I use and recommend LastPass. It includes integration into all Mac and PC browsers, tools to generate strong random passwords and many other features for free. For $12/year, their pro version adds support for mobile (iOS/Android/Windows Phone/Blackberry) and other useful features.
- Trust no one. Meaning, if you are not sure what you are looking at, then assume it to be dangerous. If your mom sends you a YouTube link that you were not expecting, it could be a video of an adorable cat. Or, it could be a link to a malicious website.
- What else?
This is where it can get a little more complicated. Because this bug affects websites, fixing things on your end only helps with sites that have fixed the issue on theirs. So, the first thing to do is determine whether the sites you visit have fixed the issue. Many sites have proactively published status updates as they have fixed the bug. But, if you are not sure, use a website such as this one from LastPass to check. Once sites have fixed the issue, you should immediately change your password for that site.
If you have any questions, please feel free to email us at firstname.lastname@example.org