Heartbleed OpenSSL Vulnerability
Heartbleed is a major concern for security professionals and internet users alike. Here is what you need to know about Heartbleed and your security online.Heartbleed affects OpenSSL software, the most popular way to encrypt data online. It allows a secure server to disclose information available in its memory. The bug has existed in OpenSSL since approximately March 2012, meaning data has been vulnerable since that time. Hackers have had the ability to steal encryption keys that would allow them to access past, present, and future information. It is possible that 500,000 or more websites could be affected by this bug. That means information like usernames, passwords, and credit card information might be intercepted.
Are all secure connections affected by the Heartbleed bug?
Not all SSL/TLS implementations were affected by the bug. According to cnet.com, “OpenSSL is open-source software for SSL implementation across the Web. The versions with the vulnerability are 1.0.1 through 1.0.1f.” Some earlier versions of OpenSSL were not affected, particularly if the “heartbeat” feature was not enabled.
Which devices are at risk?
Phones, PCs, routers and other devices are at risk. What may come as a surprise is that many home and business networks are secured using OpenSSL. This can include “desktop phones, video conferencing hardware and VPN software“.
Is there a fix for the Heartbleed vulnerability?
There is a fix to the heartbleed bug and it has already been released for web professionals to install. SC Magazine quotes Steve Pate of HyTrust, “…[O]ne of the benefits of an open source software project [is that] changes are generally easier to detect and fixes tend to come quickly.“ Now, however, web server administrators must update vulnerable encryption keys which is expensive and time consuming.
Long term, security professionals need to rethink the user name and password system.It is old technology and is not secure enough to protect the sensitive data that we can store and access online.
What can I do now?
Many Internet users feel like changing passwords right away is the best protection for their private information. However, doing this too soon is not the best course of action. Change your passwords only after being notified that the affected Web sites have been patched. And, since determining which websites have been compromised is difficult, it is probably a good idea to change most passwords once the all clear is given.
There are also websites available for users to check if a site is affected by Heartbleed. LastPass and Qualys are two from reputable online security professionals. Zmap has compiled a list of popular vulnerable websites.