The Obligatory Heartbleed Article
Simply put the Heartbleed bug (or CVE-2014-0160) is an issue in OpenSSL that exposes "Encrypted data" to someone trying to gain access to private or protected data. For example, credit card information sent between you and a online store, should be encrypted, making it harder for someone other then you or the store to get the information. The Heartbleed bug exposes some of that info (for example).
Why It's not a big deal
The Heartbleed bug has gotten a lot of press, but technically speaking it's no more of a vulnerability then any other bug. The "fix" is simple, and easy to apply. In addition, unless you were a specific target, it's not very likely that your "were hacked" due to this issue. For most people the impact should be minimal and normal security procedures should "just fix" the issue after a few small updates.
Why it is a big deal
The biggest deal with Heartbleed is more of a breach of trust then a technical problem. There is this perception that when your browser has that "little lock icon" that your safe and your data is private. However this is NEVER true. Heartbleed didn't change that fact, it just brought it to light a bit more then normal.
There is also the sheer number of things it effects. Websites, email, chat programs, some VPNs, most peer to peer encryption, many networking appliances and basically anything else on a network that "encrypted" data could be effected by the bug if it uses the affected software. It's very common.
Don't Blame Opensource
I have seen a lot of publications use heartbleed as a reason not to use opensource projects. The truth is, however, that the problem could have existed in closed source software, and the fix would have been much harder to apply. The truth is the issue has noting to do with open source or closed source. It's simply a bug.
Checking if your effected
There is a site, to check your site (https only), for the issue. Just go here https://filippo.io/Heartbleed/ , enter your sites URL and press the big Go! button.
General Steps for Everyone to take
Rather you have a website or not, one of the websites you use has been effected by the bug. I can just about promise that. So here area few easy steps that everyone should take. Again these are pretty normal, and everyone should be doing them anyway.
- Use different password for different sites. Make sure they are real strong passwords and not "fake strong". Password Generators and managers are great for this. There is 1password for Mac, Last Pass for everything, and Keepass if Last pass makes you nervous. There are others but these three are the best out there. Using a different password on every site means that if one site is compromised you don't loose everything, just that one site. This is probably the single strongest thing you could do as a normal person.
- Use Two Factor authentication when you can. Google authenticator is a great example of this. Again it won't protect you from the heartbleed problem, but it will mitigate the damage if any.
- Update your computer. Run your OS updates, your app updates, your firmware updates, whatever. Keeping the old version is silly at this point. Just do your updates.
- Keep an eye on your personal data. Something like https://www.creditkarma.com/ can be a great tool for checking if your identity has been stolen. Glancing at the bank every once in a while is always advisable.
- Avoid un-safe networks. Your home is safe, the coffee shop is not. If your going to use a public wifi hotspot make sure to use a VPN
Steps for site owners
First, Don't Panic! Chances are you were not effected, even if you had the venerability for a while. Now that's no reason not to act, but don't do anything to drastic. Steps are very simple and your developer, hosting provider, or tech dude should be able to address the issue very quickly.
- Update the server. This is the biggest step. It's that simple to fix it going forward.
- Re-Key your SSL certs. basically this means press the button in your SSL provider. It's really that simple.
- Invalidate your current sessions. In short, you need to clear your session cache so that everyone needs to login again. Again very simple.
All in all an average site can do all these steps in a matter of minuets to a few hours, depending on your update frequency.
In short the issue is far reaching but easy to fix. Keep on top of your normal security procedures, use a password manager, don your tin foil hat, and everything will be ok. Just keep in mind that little lock doesn't mean your data is 100% safe any more then the lock on your car door means your radio is safe.
Coteyr.net Programming LLC. is about one thing. Getting your project done the way you like it. Using Agile development and management techniques, we are able to get even the most complex projects done in a short time frame and on a modest budget.
Feel free to contact me via any of the methods below. My normal hours are 10am to 10pm Eastern Standard Time. In case of emergency I am available 24/7.
Phone: (813) 421-4338