The Heartbleed Bug: Are Your Accounts at Risk?

by Michael on Apr 10, 2014 · 3 comments

In case you missed it, security researchers recently uncovered a major bug (known as “Heartbleed”) in a security protocol that protects much of the encrypted traffic on the Internet. And yes, if you do just about anything online, you’re affected.

In short, secure Internet services typically protect their traffic using a protocol called SSL/TLS. This includes certain websites, e-mail providers, chat services, etc. You’ll know this is happening on the web when you look at the address bar of your browser and see https:// (note the addition of the ‘s’) at the beginning of the url.

Many such services use an open source implementation of this security protocol known as OpenSSL. Unfortunately, OpenSSL was found to contain a programming mistake that makes it possible for an attacker to steal the server’s encryption keys, usernames and passwords, instant messages, e-mails, etc.

But wait, it gets better… Not only is all of this information (potentially) exposed, but there’s no way of knowing whether or not a server has been compromised. Oh, and this bug has been out in the wild for over two years.

As for whether or not you’re likely to be affected by this bug…

“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.”

That’s from heartbleed.com, a site put together by the people who discovered and publicized the bug in the first place.

They went on to note that OpenSSL is used in the software that powers more than two-thirds of all websites, and that it’s also used to protect e-mail servers (via the SMTP, POP, and IMAP protocols), chat servers (via the XMPP protocol), virtual private networks (VPNs), etc. So yeah, it’s a widespread problem.

Of course, that fact that you (probably) do business with affected sites and/or services doesn’t mean that your info has been stolen, but it’s possible.

To protect yourself from the Heartbleed bug, you’ll need to go through your various online logins and change your credentials. But doing so won’t do you any good unless and until the service provider patches the bug (yes, a fix is available), revokes the compromised encryption keys, and re-issues new keys.

How will you know if/when this has been done? That’s the tough part. You’re largely dependent on the service providers letting you know that the problem (if they were affected) has been fixed. At that point, you should be able to change your password without fear of it being re-compromised via the Heartbleed exploit.

Note: There are some tools out there to check whether or not a website is affected (or has been fixed). I can’t vouch for any of them, but this one, which attempts the exploit and then report the results, looks pretty good. It was developed by cryptography consultant Filippo Valsorda. If a site appears to have been “fixed or unaffected,” it should be safe to change your password.

That being said, I haven’t heard a peep from anyone about whether or not their site/service was affected by this bug, or how they’ve responded to the problem.


{ 3 comments… read them below or add one }

1 Kurt @ Money Counselor April 10, 2014 at 11:05 am

There are a number of websites where you can enter a URL and test for heart bleed. Here’s one: http://filippo.io/Heartbleed/

Reply to this comment

2 Michael April 10, 2014 at 11:07 am

Kurt: While you were writing your comment, I was already appending a note to the end of the article with a link to that same site. Great minds!

Reply to this comment

3 Jen April 10, 2014 at 11:38 am

Hi, Michael — Thanks for your post about this. I heard about this yesterday and am shocked at how little noise there has been. Yesterday the developer of Wunderlist emailed users that they have secured themselves against Heartbleed. They included this detailed account from one of their engineers: https://medium.com/p/804cdf4b48c1 about how it affected them and how they fixed it. Although I’m glad for their quick and thorough, I wonder how long it will take for an Internet-wide fix, given the intricate interweaving of various networks that can repeatedly compromise one another.

Reply to this comment

Leave a Comment

Previous post:

Next post: