Heartbleed OpenSSL Vulnerability
Are all secure connections affected by the Heartbleed bug?
Not all SSL/TLS implementations were affected by the bug. According to cnet.com, “OpenSSL is open-source software for SSL implementation across the Web. The versions with the vulnerability are 1.0.1 through 1.0.1f.” Some earlier versions of OpenSSL were not affected, particularly if the “heartbeat” feature was not enabled.
Which devices are at risk?
Phones, PCs, routers and other devices are at risk. What may come as a surprise is that many home and business networks are secured using OpenSSL. This can include “desktop phones, video conferencing hardware and VPN software“.
Is there a fix for the Heartbleed vulnerability?
There is a fix to the heartbleed bug and it has already been released for web professionals to install. SC Magazine quotes Steve Pate of HyTrust, “…[O]ne of the benefits of an open source software project [is that] changes are generally easier to detect and fixes tend to come quickly.“ Now, however, web server administrators must update vulnerable encryption keys which is expensive and time consuming.
Long term, security professionals need to rethink the user name and password system.It is old technology and is not secure enough to protect the sensitive data that we can store and access online.
What can I do now?
Many Internet users feel like changing passwords right away is the best protection for their private information. However, doing this too soon is not the best course of action. Change your passwords only after being notified that the affected Web sites have been patched. And, since determining which websites have been compromised is difficult, it is probably a good idea to change most passwords once the all clear is given.
There are also websites available for users to check if a site is affected by Heartbleed. LastPass and Qualys are two from reputable online security professionals. Zmap has compiled a list of popular vulnerable websites.