Image of heart with bandaid

{ Between the Braces }

function blog(news, tutorials, insights) {

Welcome to Between the Braces, a web development blog by Adam Blom. This is where I will share my thoughts on the various aspects of web design and development. If you have a topic you would like to see here, feel free to contact me;

}

$blog.explore( );
  • Search
  • Categories
  • Archive

Categories

Archives

Heartbleed. It’s still a thing.

by Adam Blom

While I don’t like to come off as just jumping on the bandwagon, I decided it was important to put out as many sources about this bug as possible given its potential impact on the security of the web. I’ve laid out this post in a pseudo-F.A.Q. format to make it easy to find information on this, but if you are completely unaware of information on Heartbleed, please read the whole thing. So let’s get started…

Aren’t you a little late to the game?

Hasn’t this Heartbleed thing been all over the news since April 7th and it’s now April 18th? The answer to both is yes….and no. Given the immense media coverage after the initial announcement of security vulnerability CVE-2014-0160 (commonly known as “The Heartbleed Bug”) I decided to hold off on writing this article until the dust had settled. I wanted to put out some more information for the web user now that Heartbleed has faded from the collective consciousness of mainstream media and also pass along some tips for those of your who may be a bit more lax in your web security practices.

I’ve been under a rock. What is Heartbleed?

Ok, if you have watched/read any reputable news source in the last week and a half, you probably don’t need to read this part. But if you don’t know, here’s what you need to know.

In short and simple terms, it was kind of like this:

Your house and everyone in your neighborhood uses Acme brand locks. You lock your house up tight when you leave, but what you didn’t know is that the Chief Lock Designer at Acme has been leaving the pattern to make not only your key, but also the pattern for everyone else’s house in your neighborhood next to the window in his first floor office for the last two years. If a thief happened to look in the window he/she would easily be able to see them and then use it to unlock your house and take your stuff. 

It’s not a perfect metaphor, but it gets the point across.

Now for a bit more technical and accurate detail, so if you’re not interested, skip ahead to the next question. Heartbleed, is a vulnerability in the OpenSSL library. SSL/TLS is a web encryption protocol that protects information in transit between your computer and the servers. You probably know it best as the little padlock that shows up in your browser when you are connecting to a secure site (logging into your bank account, placing an order on Amazon, etc).  OpenSSL is an open source library that includes an implementation of the SSL/TLS protocol. I am choosing to leave how it works fairly vague as I think only developers and people into software and tech will care to read about it, but if you do want more information, please check out Heartbleed.com for more information on the bug itself.

While only OpenSSL’s implementation of the SSL/TLS protocol was affected, and not the protocol itself, the severity comes not only in how many websites use OpenSSL, but also at how hard it was  and how long it took to detect the vulnerability (I’m talking needle-in-a-haystack hard when only a couple of people are looking). The bug was introduced over 2 years ago and OpenSSL is used in Apache and nginx web servers, which power roughly 2 out of 3 sites on the web. That’s pretty serious.

The bug was discovered independently by both an engineer at Google and a security team, Codenomicon, in approximately the same time frame. They separately reported the vulnerability and information was distributed to companies just prior to the release of the announcement in the news so that a patch could be added quickly to the affected systems.

It’s still a thing.

Just because you don’t hear about it multiple times a day anymore, it doesn’t mean you should not be taking actions, if you have not already. To those of you who have taken the time to protect yourself, kudos. This is a bug that would be very easy to be passive about reacting to as there has not been any significant breaches or theft. This bug is all about the potential. Becasue of the scope and scale of the bug, even though nothing major has happened (that we know of) you should still take action. To those of you who take the “well it won’t happen to me” approach to web security, this is particularly important for you. Here’s what I recommend you to do:

  1. If you know the site was vulnerable to Heartbleed, then change your password now.  Most companies patched their OpenSSL with a fixed version within a day of the announcement. Not all sites are recommending you change passwords as they have not seen any impact from the bug, but remember that malicious hackers can be patient, and just because there hasn’t been any obvious sign yet, doesn’t mean there won’t be. Not to play fear tactics, but it is possible they stole your password and are just waiting until the hype dies down to make their move.
  2. If you are not sure if a site used an affected version of OpenSSL, you can check the web for compiled lists (see Mashable or CNET) or use a web tool to see if the sites you frequent happened to have been using the affected versions of OpenSSL. The web tool I recommend is hosted by LastPass. NOTE: The compiled lists are certainly not complete. There would be millions of websites on the list so you best bet is to use a web tool to check specifically for the sites you know you use.
  3. If you are still not sure if the site you visit used the impacted versions of OpenSSL, I would err on the side of caution and change your passwords anyways. It may be faster to just change them all then to look them up and then change it.
  4. Keep an eye out. Pay close attention to information as more comes out, especially if there are reports of data being taken to make sure you were not affected.
  5. Lastly, pay close attention to emails from sites you visit to make sure they are legitimate. This bug is a great opportunity for phishing scams where you may receive an email that looks like it was from a site you visit. They may tell you about the bug and ask you to click on a link to change your password or verify your log in information but you’ve really just handed your info over to a thief. When dealing with sensitive information do not click on links through emails unless you are certain it is legitimate and if unsure, go directly to the sites url through a web browser and update your account information there.

Ok, I listened. I just updated all of my passwords from “password1” to “password2”. I’m safe, right?

Seriously?

It still amazes me how many people use the same simple password over and over and over from everything from their account on CatVideoOfTheWeek.com to their secure log in on their bank’s website. I’m hoping that since you may already have to update passwords due to Heartbleed that you may also take this time to instill good password practices on the web. With a little extra effort you can make your online life more secure. Please check out my other post on password security. I try to update it as new things come out, but in the very least it offers the foundation for good password practices on line.