April 13th, 2014
Special Report from The Conversation
If you’re struggling to understand the deluge of information about the Heartbleed vulnerability, you’re not alone. Some reports tell us to change all our online passwords immediately, others warn us that this could do more harm than good. There is a lot of misinformation out there.
It is essential that you do not panic but nor should you be complacent. We all need a good old fashioned mix of common sense and prudence.
What is Heartbleed?
On many of the servers and internet web services we use, there is a free and open source security technology called OpenSSL. In simple terms, when you see the padlock beside the web page URL, you have a secure and encrypted web connection that may have been managed by the OpenSSL software.
To date, OpenSSL has worked incredibly well. Network engineers and users like you have been more than happy with the service it has provided. But Google Security and Codenomicon recently discovered a flaw in the system now dubbed Heartbleed and announced this to the world on 7 April 2014. The bug may have existed unnoticed for the past two years.
In plain terms, Heartbleed is a server memory vulnerability. That means that the entire database of all customers for your favourite online retailer is not vulnerable, but that any of the transactions going on at the moment a site is attacked by a cybercriminal could be. This is why you’ve been advised by some experts to refrain from carrying out important transactions online while the situation is being resolved.
Heartbleed is a major concern for businesses, many of which host thousands of transactions every hour. An ardent cybercriminal could easily write an interrogation tool that exploits the Heartbleed bug every few seconds, allowing for large volumes of customer data to be acquired. It will depend entirely on what is being exchanged at the time as to what information will be extracted.
It is like having someone read your mind while you are reading this article. They will not see the entire article, but for the brief moment they look inside your head, they will see the same words you have just read.
Server memory is only as current as the current transaction or task it is completing. It is therefore unlikely that any old transactions from minutes, hours or days ago will be stored in memory.
What do you need to do?
For a start, don’t panic. Some are advising you should change all your passwords but unless you know the website you are accessing uses OpenSSL, you could be creating more problems for yourself by changing your settings.
This is in part because you could change the password on a server that has not been patched and therefore still have an issue while it remains vulnerable. If a website is still vulnerable, your new password will still be vulnerable too.
Do check with the websites you use. Most sites are announcing if they have made any changes or have recognised a problem. IFTTT, the popular social media mash up service, has already emailed its entire user base, informing them that the services they offer have been secured.
If you are technically inclined and would like to see for yourself, you can use many different Heartbleed checking sites that check if the service you use is vulnerable. There are sites that are now listing vulnerable web sites. This is good news in some respects but it also means that the sites that are vulnerable have also been announced to potential cybercriminals. If your site is on these lists, read the advice with care, as some are saying they do not believe they have any issues.
If you are still unsure, change the password, but use one that you will remember so that you don’t need a prompt from the site. It should also be a password that you are willing to change in a few days' time. But remember, you will be surprised at how many sites you use, accounts you have and passwords you may have forgotten. If you’ve forgotten the password, stay away for now.
What are the professionals doing?
Many services are already fixed. Networking professionals are not complacent and are very security focused. Issues such as these are rare but do make for big news stories. Many may have removed the issue before it even became news.
Some web services will announce if they have patched and are safe but you needn’t necessarily worry if your favourite website doesn’t issue an announcement. The chances are it was never using OpenSSL in the first place.
Will there be other issues?
It is inevitable that there may be some sites that will not be patched as these are not primary commercial services that are being “looked after”. There is always the potential for other issues to be found with OpenSSL or other secure services. SQL Injection, for example, was a problem that became widely known in the networking community in 2012, but we still occasionally find servers still allowing this exploit.
All in all, your best course of action is to find out which websites in your digital life run on OpenSSL. The biggest sites will communicate with you, if and when they need to.
The Conversation operated on a system that used OpenSSL but fixed the vulnerability at midnight on Tuesday 8 April. As a precaution, we’d recommend users change their passwords.
Andrew Smith does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.