You have probably heard about the Heartbleed bug in OpenSSL reported last week. It’s been described as a critical flaw compromising the security infrastructure of the Internet. This is estimated to have affected over 66% of websites on the public internet, including Yahoo, Google, Facebook, and Instagram.
How does it work?
Effectively, it allows an attacker to request a 64KB chunk of random data from an affected server, and the attacker can request chunks over and over, as fast as their computer can request and the server can respond. This can expose anything that is in the server’s memory, including usernames, passwords, credit card numbers, personal information, etc.
What can you do?
We are reliant upon service providers to patch their systems and update their cryptographic keys (most have already done this), but there are some steps that we can and should take as individuals to ensure that we are protected.
1. Make sure that your browser checks for certificate revocation
To find out if you browser already does, go to Verisign’s certificate revocation test site. If you receive a certificate warning, then your browser is already properly configured. If not follow these instructions for Chrome, Safari, Firefox or IE.
This is important because if a server’s certificates were compromised, an attacker could use the stolen certificate to masquerade as the original site.
2. Change all of your passwords
This exploit has been around for 2 years, and it’s use is undetectable. Therefore, prudence dictates we assume our passwords have been compromised on any affected sites. If you use the same or similar passwords at multiple sites and one of them was compromised, then you must assume that the rest are also compromised.
If you don’t use one, now would be an excellent time to start.
A good password management utility allows you to easily generate secure passwords, stores them in a secure way, automatically fills in login pages for you and syncs across multiple devices. It will make your online logins more secure yet easier to manage.
3. What sites were affected
Here’s a good list containing popular sites and the fix status.
Here’s a more comprehensive (though less readable), with snapshots taken on 4/8 and 4/12 for comparison.
If you are using LastPass, you can run their security check, which will provide you with a handy list of sites that you use that were affected, and whether it’s time to change your password or wait until they’ve updated their certificates.
If you want to check to see if a site you use is still affected, you can use this site to test individual pages.
4. Enable multifactor authentication
We don’t recommend this just because of Heartbleed, though if you are using multifactor authentication on sites that were compromised, it dramatically decreases the chance that your account may be broken into.
Heartbleed is a real and nasty bug, but you can take steps as an individual to limit your personal exposure.
- Enable certificate revocation checking in your browser
- Change all of your passwords
- Use a password manager
- Enable multifactor authentication when available
Remember, if you haven’t used a password manager in a past, a good candidate for this situation is LastPass. You can use it to create new passwords for all of you sites, then run the security check feature to learn if there are any sites that you use that are still vulnerable or have yet to issue new certificates (and hence will require another password reset in the future).