What is Heartbleed?
‘Heartbleed’ is a serious security bug present in the
popular Open-SSL library, the security technology used
to establish an encrypted link between a web server and
a browser. While browsing a site that uses an SSL, you
see https:// at the start of the link to the site in the
address bar, and the lock icon in your web browser.
The Heartbleed bug could allow attackers to access
private memory on a web server. That memory could
contain user passwords, credit card numbers, private
security keys, or other such information; and is a major
security problem that continues to affect, millions of
websites that use Open-SSL.
A fixed version of OpenSSL was released on April 7,
2014, about the same time as Heartbleed was publicly
disclosed. Since the bug was discovered, most hosting
and security companies that provide websites with
OpenSSL certificate have been working round the clock to
apply patches and take necessary steps to ensure that
the websites (protected by certificates they provided),
are not left open and vulnerable to attacks by persons
with malicious intentions.
Who Was Impacted?
Any site that uses an SSL or that may have an https://
at the beginning of its URL, or any of the URL’s within,
is susceptible to the Heartbleed bug. More than half of
the 1000 most popular websites use SSL in some form on
their site. Virtually any site you log into, input
payment information on, or have an account with, is
going to have SSL installed simply to secure your
information. Social media sites, ecommerce sites,
shopping engines, online banking and web-based email
clients – they all use it. The Heartbleed bug affected
even major sites like PayPal, Amazon, Google and other
big players.
Are You Vulnerable? How to Check – What To Do
If your websites uses an SSL certificate, you could
check to see which version of OpenSSL you are running.
Affected versions include OpenSSL version 1.0.1 through
version 1.0.1f. as well as version 1.0.2-beta and
1.0.2-beta1 or you could submit your
website’s domain here, to check if your website is
vulnerable to Heart
Bleed.
If you find your website is vulnerable, you could
contact your SSL provider or your websites hosting
company, and insist that they provide you with the
latest version of SSL encryption, or that they patch or
remove the heartbeat extension so that your webstore is
safe for the foreseeable future.
It is also advisable that website owners reset user
passwords and replace their current SSL certificate if
it is vulnerable. Although this may seem like a lot of
work, but taking these important steps to protect
consumer data would help avoid any scare in the future.
Most major companies that operate on an SSL framework
have already applied the security patch that was
released earlier this month, effectively closing the
door through which attackers could enter. There may be
some smaller companies however – some with fewer
resources – that have not been able to get around to
installing the patch just yet.
At any rate, just to be safe, you can run any site you
plan to log into
through this site, and it will reveal any
Heartbleed-related problems
you should be aware of before going forward. Mashable
also has a good list of
major websites that
have been affected.
Other Precautions You Could Follow:
There are also a few other steps you can take to ensure
your personal data and information is not at risk due to
Heartbleed:
– Log in and out of every session in your web browser –
your email, your accounts, your social sites, anything
else you have open. This will ensure you are using the
most updated, secure version of the site’s SSL
framework.
– After you are able to confirm that a site has in fact
installed the security patch, log into your account and
change your password. Though there is no way to confirm
if your password or account information was leaked via
Heartbleed, changing your password can ensure that even
if it was, no hacker could use it to access your
account.
– You can also check this
comprehensive
list
by GitHub. It names any known sites that are vulnerable
to the Heartbleed bug, so you can steer clear in your
web browsing.
The worst part about the Heartbleed bug is that there is
no way to know whether your accounts or personal data
have been affected. Since the vulnerability has existed
for at least three years, any savvy hacker could have
accessed it during that time. The only way to proceed
now is to move forward, install the patch, and be extra
diligent about the sites you log into or buy from in the
near future.