By now most of you will have heard of the so-called ‘Heartbleed’ bug that is currently scaring the life out of the Internet public. The bug refers to a recently discovered flaw in the web encryption software OpenSSL that gives hackers access to personal data like credit card numbers, usernames, passwords and—most alarmingly—cryptographic keys. While major sites like Google, Facebook, Twitter and Dropbox are safe, the OpenSSL system is used by some half a million websites worldwide—any and all of which may be considered at risk.
Although news of the Heartbleed revelation has travelled refreshingly fast, much of the accompanying media coverage has either overstated the severity of the problem (with one TV commentator hyperbolically calling it “the end of the Internet”) or been factually inaccurate. Thanks to its highly technical nature and its spooky, horror movie-esque name, the Heartbleed phenomenon has been greeted with panic and confusion. While it’s definitely a risk worth paying attention, it is scarcely the online apocalypse that many have claimed.
So what exactly is Heartbleed and what are we to do about it? This Q&A should help unravel the confusing mass of commentary on the phenomenon.
1. Is Heartbleed a virus?
No. Numerous commentators have erroneously referred to the Heartbleed bug as a ‘virus’. It’s not. It’s a software flaw in the OpenSSL cryptographic software library. In other words, buying a new Antivirus package will do absolutely nothing to prevent you from being affected by it.
2. What makes it so dangerous?
Heartbleed is a security flaw that allows cybercriminals to steal usernames, passwords, instant messages emails, documents and other communications from websites. But that’s not the worst of it. The researchers who identified the problem demonstrated that hackers could exploit the bug to steal cryptographic keys, thus allowing them to impersonate a server and intercept any communications by other users of that service.
3. What is being done to fix the problem?
OpenSSL has already developed and released an emergency patch for the bug called Heartbeat. While it is still far from universal among SSL sites, the patch is rapidly being implemented across the web. Most major services were either not affected or rapidly upgraded their servers to incorporate the patch.
4. Are my online banking sites at risk?
When the Canada Revenue Agency shut down part of their website in response to the Heartbleed threat, this provoked widespread panic over the safety of online banking sites. The Canadian Bankers Association quickly responded to assure the public that their networks are actively monitored so as to ensure customers’ online safety and privacy.
5. I heard Yahoo is vulnerable to Heartbleed. Is this still the case?
No. Early reports on the Heartbleed bug stated that Yahoo was vulnerable to security leaks. This is no longer the case. That said, data may have been leaked during the time that the site was vulnerable.
6. Is Squarespace at risk?
No. On Tuesday, April 8, Squarespace publicly announced via Twitter that “all public-facing Squarespace services” are safe and not vulnerable to the Heartbleed bug. So, NikComm's customer websites are safe.
7. How can I find out if a specific site is at risk?
OpenSSL provides an easy diagnostic tool to determine the risk level of any given URL. You can find it at www.ssllabs.com.
8. What should I do if a website I manage has been compromised?
Are you a website owner whose site might have been compromised? Once the vulnerability has been patched as per #3, the compromised encryption keys need to be revoked and new keys reissued. Even after these steps have been taken, individual users may still be at risk. Such users need to be contacted so that they know to change their passwords.
9. How can users protect themselves against Heartbleed?
Unfortunately there’s nothing you can do to recover data once it’s been lost due to the Heartbleed bug. The best thing users can do to protect themselves is change passwords on a regular basis. Some commentators have called Heartbleed a ‘wake-up call’ to web users over the importance of regularly changing online passwords. Whether it’s a coding flaw like Heartbleed or a human being staring over your shoulder on a bus, it’s simply a good idea to regularly change your passwords.