I’ve read a lot about Heartbleed lately but I don’t really understand it. What does it mean for my family?
A friend texted me this question yesterday and I’m going to do my best to answer this question in non-tech talk because I feel like the message to normal folk is getting lost in technical language and there are likely more friends and family wondering the same thing.
Heartbleed is a bug in the code that many sites use to secure websites. The webcomic xkcd actually did a great job of explaining it
Heartbleed explained by XKCD
Heartbleed is going to affect you in 2 primary ways.
Lots of password changes
Every account you have with a website that used OpenSSL should be considered compromised and you need to go change your password. Thankfully many sites are sending out emails and publishing blog posts to notify their users. This password reset is to prevent any unauthorized access (folks other than you) from logging in to the site or app just in case your password might have been exposed using Heartbleed.
What sites are affected? Mashable has a very good list but don’t go changing everything just yet. Websites really need to take 2-steps to fix the problem before you change the password (more on that in a bit). Without these changes the new password might be exposed. It’s akin to having your phone tapped and giving out your new number to anyone eavesdropping.
So how do you know a site is fixed and is ready for you to change your password? Well there isn’t a single good answer. Check the website of the company, ask them via Twitter do a bit of research. If you are a user of Lastpass then they did their users a huge favor and added a feature to their security check to show every account saved in Lastpass that may be affected and indicating whether it was now safe to change your password or not. Don’t you wish you used an incredible service like Lastpass 🙂
Facebook, Pinterest, Tumblr, Soundcloud, Yahoo and most of the big sites are safe know so you can change those passwords anytime. Some of the notable sites that aren’t secure as of this writing are Imgur, Instagram, and Flipboard.
Malicious Websites using a stolen “valid” certificate
Let’s start with an oversimplified explanation of Secure Websites.
When you login to your bank the little lock in your browser means that your bank bought a certificate from the web trusts and is using it to encrypt your data so other folks at the coffee shop don’t get a peek at your password. That security lock means 2 things: 1) you are really dealing with your bank and 2) information submitted through that webpage is secure and only visible to your bank. That is what SSL technology does in a nutshell. You can see that when that system is compromised its a big problem. Welcome to Heartbleed.
If you are familiar with phishing then you know that attackers will craft an email or website to look similar enough to your bank, google, yahoo etc… to fool you into typing in your username and password. If you fall for it then you’ve handed your account over to an attacker. This OpenSSL bug opens the door for attackers to not only impersonate website but now they might be able to steal that websites certificate and make their forgery even more convincing.
I mentioned before that websites have 2 steps to secure themselves. 1) Apply the OpenSSL patch which fixes the bug 2) Get a new certificate and revoke the old one that marks it as bad.
Once they mark the old certificate is marked as bad your web browser should flag you that the certificate used on this website is no longer valid. The only catch? Chrome and Firefox don’t do this by default. Follow the instructions here to change those settings to check for revoked certificates in Chrome and Firefox.
Its difficult to predict the fallout of Heartbleed. It will be learning process for both the security community and everyone involved from Certificate authorities to browser vendors.
TL;DR The best you can do is to change your passwords, use something complex and unique to that site (don’t reuse passwords, seriously— don’t) and make sure your web browser settings give you the most security and to keep your wits. If something looks off or strange don’t type in your password.
Further Security Tips
- Passwords: You can’t remember complex 22 character passwords. Use a password manager like Lastpass. Stop using passwords and start using passphrases 4 words add punctuation. BlueElephantlovesYanni! is an incredible password and you can remember it.
- Enable 2-Factor Authentication: This is an extra step and uses your mobile phone as a 2nd form of authentication. Use it on Google, Apple, Yahoo, and many more. Start with this article Here’s Everywhere You Should Enable Two-Factor Authentication Right Now, I use the Authy App on my phone to keep track of all my 2-factor enabled accounts
/image credit ryanmilani