What's the Buzz about the Heartbleed Bug?
A brief introduction to the Heartbleed bug, and how ordinary users might be affected by it.You may have heard a lot of buzz going around the Heartbleed bug lately. What is it? Why is it such a big deal? The Heartbleed bug is the biggest widespread vulnerability in the history of the Internet, so it’s important that every Internet user know about it, even if you aren’t directly affected by it. There is a lot of technical information surrounding SSL and the Heartbleed bug, but what does it mean to the average user? Let’s take a look.
OpenSSL Even though you may not know what OpenSSL is exactly, if you use the Internet, you probably interact with OpenSSL on a daily basis. OpenSSL is a piece of software intended to help with security online. Popular websites use OpenSSL to encrypt information when it’s transferred from your computer—passwords, user names, and other content—to the website requiring that information. Software comes in different versions, and developers—the people who make software—will tweak and improve programs as they go. Sometimes, though, the little mistakes in programs—called bugs—aren’t always found and fixed as quickly as they could. In April 2012, version 1.0.1 of OpenSSL had a bug that was not discovered until this last week. That bug made it possible for someone to retrieve sensitive information off of websites that use OpenSSL without being detected. A number of supposedly secure websites—including apps, messaging services, and online shopping sites—have discovered that they are vulnerable to this bug, which has been nicknamed Heartbleed.
Which websites are affected? The Heartbleed Bug affects any sites running specific versions of OpenSSL 1.0.1 through 1.0.1f. Some sites may run older versions of OpenSSL that are not vulnerable, and probably have already updated to a fixed version. Not all sites use OpenSSL, but an estimated 66% of the Web uses it, so a large portion of the Web may be vulnerable. It’s estimated that the bug affects two out of three servers on the Internet. If you’re wondering what sites have been affected you can check the sites by typing them into this LastPass Heartbleed checker HERE. Because Heartbleed is a complicated thing to fix technically, IT professionals can’t simply patch copies of OpenSSL that are running on their devices and websites. They also need to make sure that any digital certificates issued before the patch are still safe, so this issue is taking some time to fix. The problem is OpenSSL software no longer exists, as it was repaired almost as quickly as it was discovered. However, you can—and should—still take simple steps to protect yourself. Really, there is nothing to panic about, but it will take some time to make sure that your personal information is safe.
What can I do about it? There are a few things you can do, but keep in mind the problem needs to be fixed by vulnerable sites updating OpenSSL and reissuing their security certificates. Some may have already contacted you via email on the subject.
- Try to avoid connecting to vulnerable sites and services until you’re notified that they’ve been fixed.
- If a site you use informs you that it’s been compromised, change your password.
- Even if the site is not vulnerable it’s a good idea to update your passwords anyway.
- Keep a password journal and update your passwords on a regular basis—perhaps quarterly, when you’re due for your 3-month Bask TuneUp.
If you are wondering how you can make your passwords stronger, check out our blog post on Hack-proof Password Tips by clicking HERE.