Background to Heartbleed
The heartbleed bug is a vulnerability found in OpenSSL, an open source library of code that provides cryptographic services to some websites that use SSL. SSL (Secure Sockets Layer) is the underlying technology on websites that use secure certificates and show you a padlock icon in your internet browser’s address bar if it’s being used. It’s the way in which you can be sure that the data travelling from your device to the website, should it be intercepted, is secure from being read by anyone else and is the reason why organisations such as banks, shopping sites and other companies using your sensitive data employ them.
What was the Heartbleed bug?
What the heartbleed bug did was to allow that information to be read in an unencrypted form due to a programming error in the library. This is obviously bad news on a number of fronts including such bugs being out in the wild for long periods of time but, as far as most website users are concerned, it was the equivalent of putting your financial details into a website without the protection of a secure certificate / padlock (which I’d very much hope you wouldn’t do!) or having your PIN number written on the side of your credit card.
Heartbleed is unlike anything else that’s happened before on the internet. Websites and other software have bugs in them all of the time, but this is the first known occurrence of an issue that covers the underlying security of so many websites, web applications and web services across the internet. What’s more, it went undetected for so long meaning that large parts of the internet have effectively been going under the misapprehension that they’re secure for over two years.
It’s very important to point out at this stage that not every secure website was affected by this issue. While SSL technology is an industry standard, there is more than one way of implementing it and the OpenSSL library wasn’t / isn’t used by everyone who secures the data to and from their site. Organisations such as banks and building societies, for example, use a much stronger method to ensure encryption.
What’s been fascinating to me is the general response to this bug, away from the industry. The fallout from Heartbleed was only ever going to go one of two ways; a major outcry and a huge drop in confidence when using the internet for sensitive data transactions or complete apathy. Sadly it appears to be the latter with a report earlier this week suggesting that only 39% of internet users have reacted in any way at all in order to protect themselves and their data.
— Alex Cooper (@AlexPCooper) May 1, 2014
So am I now safe from Heartbleed?
A fix for the Heartbleed bug was released in a version of the OpenSSL on April the 7th, 2014. That doesn’t mean that every website using OpenSSL was immediately alright again, of course, but on the whole it’s thought that companies have responded well to the threat and patched the problem on their systems. Aside from those organisations yet to respond to the threat this only means that, from this point in time onwards and as far as anyone can be certain of it, the issue is now resolved and you can feel confident that your data is secure. Every transaction that you make with your credit card, whether it be online, in a shop, on a train, etc. carries with it an element of risk that your details will be intercepted one way or another; the only way you can be truly safe is to not use these systems at all but that’s not a practical solution.
So as of now, just short of a month on from the release of the fix, you should be alright on most websites but take a look at the lists on some of the links below for more information on individual cases. Most organisations have also released information on their own sites about this bug.
What about the past though, up until the fix was released….?
What should I be doing now?
You have effectively been using apparently secure services on the internet without any protection for over two years prior to this fix being put in place on a per-site / per-service basis (and just to reiterate, it isn’t every single website). Therefore your login credentials and other data could have been picked up and read by people that you don’t want to – or expect to – see them.
That your login credentials are most likely secure now is good news, but if they’re the same as they were when this problem was still ongoing you’re no more secure now than you were back then if someone already knows your login details. Therefore what you need to be doing now is reacting to this Heartbleed bug;
- identify which websites, that you use, have been identified as vulnerable to this bug (see links below)
- find out whether they’ve fixed the issue already
- if they have, change your login credentials as a matter of urgency (and if not then keep checking)
Could Heartbleed happen again?
A bug such as Heartbleed could very easily happen again. As Heartbleed happened once and was out in the wild for over two years, there’s absolutely no reason to suggest that it – or something similar to it – couldn’t happen again. The definition of a bug, after all, is simply a known issue and it could well be that other issues yet to be identified are already out there. Hopefully this issue has been a real eye-opener for the industry and similar problems can be avoided in the future but in either case we, as individuals, should always take our online security seriously.
As a broad set of rules you should carry the following out as a matter of course when online;
- Use complex passwords
- Don’t re-use passwords for different sites / services
- Don’t use a recognisable pattern for passwords
- Don’t use passwords that could easily be guessed (dog’s name, etc.)
- Change your passwords periodically
- Store your passwords securely (if your own brain alone doesn’t suffice!)
- Don’t assume that your existing security practices make you impervious to attack
- Realise that if someone gets access to your e-mail account, they can reset your passwords for other services and then gain access by verifying the receipt of an e-mail to your account
More information on Heartbleed