OpenSSL “Heartbleed” vulnerability: as bad as it sounds?
Yes, it’s just about as bad as it sounds. But no, it’s not a medical condition, and no one will die from it.
In a Nutshell
The Heartbleed Vulnerability (formally known as CVE-2014-0160) is a severe problem. Techies and consumers alike need to know about it and take action.
The vulnerability is severe. In short, the Heartbleed Vulnerability allows malicious users to potentially see credit card numbers, usernames and passwords, or other personal information submitted over what looks like a secure (HTTPS) connection. To make matters worse, it also exposes security keys so that a patched server with an old SSL certificate could be compromised again.
The vulnerability is pervasive. Approximately 66% of all websites run on Apache or nginx, the web servers that use OpenSSL and could be affected. Some portion of those servers are not affected (oddly enough, the old versions are less likely to be affected), but there are a lot of major sites that were vulnerable as of April 8 including Yahoo, Flickr, StackOverflow, Eventbrite, Entrepreneur.com, and Fool.com. Thankfully, some of the most popular sites were unaffected or patched before April 8 including Google.com, Youtube, Facebook, and Wikipedia.
The vulnerability can be exploited without leaving evidence. Some companies like Tumblr have made statements that there is no evidence that they were compromised before they patched their servers. The trouble is, an exploit of this vulnerability leaves no trace, so they wouldn’t have evidence even if they had been compromised.
The vulnerability requires action from EVERYONE. Yes, even you. Your passwords on many sites should be changed, and you can’t count on the owners of those sites to tell you whether your information was compromised (see the previous point).
What sites are still vulnerable?
We built a handy tool that you can use to test if a site is vulnerable. Just visit buckeyeinteractive.com/heartbleed and enter a domain name (website address). We will run the test for you immediately and tell you whether the site is SAFE or VULNERABLE.
So what should you do about it?
If you are a consumer, remember that information submitted on vulnerable sites may have been captured by criminals. Protect yourself:
- Change your passwords on any and all sites that contain sensitive data after your service providers patch the vulnerability (see below for the work they need to do). I’m going to change my passwords at least for my bank, PayPal, Amazon, and LastPass accounts. I use LastPass to manage passwords, and you should too.
- Monitor your credit card and bank activity, and report suspicious charges to your bank promptly (always a good idea, not just at a time like this).
- Contact your website service providers to make sure they have patched and tested their servers. Without the proper precautions taken by them, your passwords and information would remain vulnerable in the future.
If you are a developer or system administrator, you need to patch your servers to protect your customer information. Protect yourself and your customers:
- Update OpenSSL to a version without the vulnerability. Check heartbleed.com for a list of OS and OpenSSL versions affected and not affected, and test again after any update. On Ubuntu running Apache, as an example, you can update your server with this string of commands:
sudo apt-get update && sudo apt-get install openssl libssl1.0.0 && sudo service apache2 restart
- Revoke, Re-issue, and Re-install SSL certificates on affected servers. If your server was vulnerable, your private keys may have been compromised. Those keys could be used to decrypt any data your customers send to your website through SSL. You need to create a new key and request a new SSL certificate from your vendor, and install it on your server.
- Contact customers and request that they reset their passwords. No, it’s not fun to tell anyone there’s a vulnerability, even if it’s not your fault and giants like Yahoo were affected too. But your customers should thank you for contacting them and being transparent. You can even suggest they read more about Heartbleed here, and change passwords on other sites that may have been effected.