Heartbleed for the rest of us
Many people have been talking about Heartbleed and OpenSSL. Why should you care about SSL? Is that a snake? Is that text speak? Here’s some FAQs to help you out.
What is it?
Heartbleed is a code name for a problem with OpenSSL that was discovered Monday by Google, this affects any services that use HTTPS, HTTPS is the protocol used to secure important user data such as logins, credit card information, etc. There was a bug discovered that basically made this user data that was encrypted unencrypted, so anyone could see private user data being stored on a server.
How does this affect me?
User logins were gathered on compromised sites, this includes IMPORTANT sites such as online banks, email services, dating sites, etc. Major companies have been affected, as of late Monday, sites like Yahoo had STILL not updated their security procedures. If you signed onto any site that had not secured their servers, consider your account data compromised, and change your password immediately.
How do I find out if my account information has been stolen?
Enter any website you are worried about and had logged into between Sunday and Monday of this week this website, If it comes up insecure, do NOT login to that site. If you have logged into it before please wait until the site is secure to change your password. If you change the password before the site has been patched, then the data is there for anyone to take.
Heartbleed made 66%* of the internet insecure
On Monday evening, before a patch was issued, someone released a script on popular web forums like reddit and 4chan that allowed pretty much anyone with working knowledge of how to run a program (this program in fact is the exploit) to listen in on web servers and collect important data such as user names, passwords, and credit card information on servers as transactions and logins were occurring. This was intended to be used as a check against your server to see if you were still vulnerable but it quickly turned malicious.
Basically if you thought you were having a private conversation on the web with anyone, you were not.
Why is no one talking about this? It seems important
People are, but in technology we have a term called “security through obscurity” which means if we don’t talk about it, it’ll just go away. However here are some helpful articles if you’re interested
or maybe it’s not big enough for major new media, but I believe it is a big deal
Why do I have to change my passwords?
Things like Amazon, Facebook, Dropbox etc were all insecure for a long stretch of time on Sunday and Monday. If you logged in to that service, or you authorized that service at any time (dropbox, for example, authorizes itself every 15 minutes on your computer but you do not have a login screen [Important! Users did report their dropbox accounts used for malicious purposes on twitter!]) it most likely collected. If you use the same password for one service as you do another, then that is doubly so a reason to change it. In any case, the servers that hold your data were open books for malicious attacks, so your data is NOT safe.
Services not affected: Anything hosted by Microsoft (Outlook email, Office 365 etc)
So, is it fixed now?
For the most part yes, many major services reissued certifications on Monday evening, the majority patched by noon on Tuesday. The initial patch was issued two hours after the bug was discovered, with Debian based systems receiving the patch first, the last systems patched were BSD. If you are concerned about some of your smaller sites run them against the link posted earlier in this post. Be a good internet Samaritan, notify the site admin about it so they can fix it.
Did the NSA do it?
Most people have no idea why this is happening to them, and telling them that the NSA did it is even worse for them. This bug was in open source code, they didn’t insert a back door, some poor open source developer made a mistake, open source developers all work for free and volunteer their time on projects like this (as an aside, please donate to OpenSSL ). Give them honesty and tell them to change their password, don’t throw conspiracy theories around.
EDIT: After a few days (this was written on Tuesday) it has been released that the NSA most likely knew about the bug and exploited it but they did NOT write it.
This is the worst security breach in the history of the internet.
Change your passwords now, change them again in a month.
* Edit: from @jbhannah “Technically (by some accounts) only about 17% of servers were affected. They have to have been running OpenSSL 1.0.1 or 1.0.2, and their version of OpenSSL has to have been compiled with and using the TLS heartbeat feature.
66% is taken from the number of servers that run Apache or nginx (servers that use OpenSSL). Servers running an old version of OpenSSL (0.98 I think the version that’s still common), or a recent version that was compiled without TLS heartbeat, won’t be affected.
It’s also important to note that encryption itself is still safe. Some certificates, and some private information that is normally encrypted in transmission, may have been compromised as a result of the Heartbleed bug. But the fact that the correct private key is still necessary to decrypt something encrypted with a given certificate hasn’t changed, and once a site revokes their presumed-compromised certificate, generates a new one with a new key, and patches their server’s version of OpenSSL, then they’re secure once again.”