The Heartbleed bug is the trending topic online this week and I hope to consolidate some resources and explain what the issue is. The end of this post contains many links that will also help explain the situation.
What is it?
It is a security vulnerability that has existed in the OpenSSL software library for two years. Heartbleed allows an attacker to read data that would otherwise be considered protected. This includes things like passwords, emails, and private keys. Unfortunately this act of reading data is undetectable, so we must assume that all passwords have been stolen and an attacker has copied all the private keys.
For those unfamiliar with public-key cryptography, a private key is what identifies someone online, allowing them to read encrypted messages sent to them. This can also allows someone to pretend they are Facebook and perform other such attacks.
OpenSSL is used by the most popular web server on the internet, Apache (approximately 66% of web sites use it). There is a patch that has been released but all the website admins must apply the patch and create a new set of keys, to prevent the attackers from just using the old keys they might have.
What do I need to do?
Consult this list of Passwords to Change and change every your password on every website with a checkmark. Reset the password on each website to a unique password (See my previous post and Bruce Schneier's post for more information on how to do it). I also advice my friends to change ALL their passwords just in case. However, if a website has not patched yet, you will need to reset your password after the patch as well.
NOTE: Be careful of phishing emails claiming to be password resets. When in doubt, type in the url in the address bar manually.
Use a Password Manager to manage all your passwords for you, so every site can be unique. Personally the only 2 password I personally know for:
- My password manager - So I can log into everything else
- My email - in the worst case scenario that my password manager no longer works, I can still reset all my passwords through my email.
Both of these passwords are secure! Meaning 20 characters with a mix of letters and numbers. For someone who has trouble remembering a long password, Bruce Schneier recommends having a secure generated password, and simply writing it down and putting it in your wallet.
Recommended Password Managers: LastPass for those want something easy and free. 1Password for those who don't mind paying. Finally, KeePass2 for those who don't mind a little extra setup.
I have personally used 1Password and KeePass2 and heard very good things about LastPass.
Donate to the OpenSSL Software Foundation
You can also donate to the OpenSSL Software Foundation so they can continue to improve the security of the software here: https://www.openssl.org/support/donations.html
Here are links that may be useful
heartbleed.com - explains the issue and has a Q&A section.
CBC article - Explains a lot in a news format and contains useful links itself.
Passwords to Change - List of to change.
Checking if Sites are Safe
Top 10,000 - Someone used the above test to generate a list of vulnerable sites (may not be up to date however)