The Heartbleed Bug is now public knowledge, and with around 500,000 widely trusted websites initially vulnerable to the flaw, its affect is enormous. If you run or surf any website using HTTPS (SSL/TLS encryption, used by bank, social media, email, e-commerce, and government sites, among many others, to secure your data), then you need to know about Heartbleed. This may sound paranoid, but there’s no way to sugarcoat or downplay a security flaw like this.
In a nutshell, Heartbleed is an enormous flaw in the popular OpenSSL encryption. OpenSSL is an open-source implementation of the SSL and TLS encryption protocols. The flaw has been present for over 2 years, but is just now coming to light. What it means is that names, passwords and other personal data you send (or have sent), to a seemingly secure website, could be seen by anyone with a little bit of know-how. If you’re interested in all the technical details, Gizmodo has a great breakdown.
As serious of a flaw as Heartbleed is, most major sites are overstating its reach. Heartbleed does not affect 2/3 of the internet. To be vulnerable, a site has be running a vulnerable version of OpenSSL and have their “heartbeat extension” enabled. According to Netcraft’s most recent SSL survey, that left just 17.5% of SSL sites (not 17.5% of the internet – 17.5% of sites using this encryption) vulnerable.
Enough with the details. Here’s what you really want to know – what Heartbleed means for your site, and you:
Heartbleed and Your Site
- Your site is only potentially vulnerable if your WordPress or other format site uses HTTPS for secure connections on any of its pages.
- Most likely, you use a hosting provider for your website. You need to find out from them whether they were vulnerable to this flaw and, if so, if it has been fixed. If it has not been fixed yet and a fix is not coming quickly, you may want to consider a new provider immediately.
- If your provider was ever vulnerable, you need to change all administrative passwords – and user passwords – immediately, as this information could have been compromised. These should only be changed after the flaw is fixed. If the flaw still exists, our new information would still be vulnerable.
- If your site was vulnerable, you also need to consider notifying your users, if only to change their passwords for protection. If you’ve been processing credit card payments, this is particularly crucial to allow users to watch for fraudulent activity.
- If you run your own WordPress or other site at the OS level, here is OpenSSL’s official announcement, with the appropriate fix.
- Even though it is unlikely your site would be the target of a specific attack, your customers will respect you for taking the above steps quickly and keeping their best interests at heart.
- You can check here to see if your site is currently vulnerable to Heartbleed.
Heartbleed and You
- On the browsing level, you can breathe a tiny bit easier in knowing that most major websites have already repaired this flaw.
- You’re more at risk if you’re using a single password for all your websites. Flaws like this are why using a unique password for every site is crucial. Doing so minimizes your exposure when an individual site is breached. LastPass is a great free password management tool to get you started, and there are many other options out there.
- If you are notified a site you use was vulnerable (or find that it was in your own research), change your passwords immediately. You may want to change your critical site passwords (email, banking, social networks, to name a few) just to be safe. Be aware that changing your password does no good if a site is still vulnerable, as your updated info can still be accessed.
- Enable two-factor authentication (summed up here by Lifehacker) everywhere you can for additional security. Evan Hahn has a great list of sites that support this.
- Keep a fine eye on all of your debit and credit cards for the foreseeable future, to quickly flag any fraudulent activity.
- Mashable has a detailed list of passwords you should be changing.
- You can check here to see if a site is still currently vulnerable to Heartbleed.
There have been no documented cases of Heartbleed being exploited to date, but even if it has been, we may never know for certain. The way the flaw works makes it extremely difficult to detect.
The good news – we hope – is that obtaining data from this flaw is rather like searching for a needle in a haystack, so the majority of us may escape unscathed. Take this opportunity to tighten up your security as much as possible. In today’s digital world, the next flaw or breach is coming all too soon.