What is Heartbleed?
An important security issue that everyone should be aware of.
An SSL protected connection has an HTTPS address.
Heartbleed is a flaw in a piece of software called OpenSSL. When you visit a website like your bank or Google's Gmail and you see
HTTPS:// in the address bar, that means
that the website is using a technology called SSL to protect information that you and the website exchange with each other, everything from passwords to credit card numbers to bank balances. Without SSL it
is possible for an evil-doer to see and read everything that you send to, or receive from, a website.
One popular brand of SSL software is OpenSSL; it is used by roughly 2/3rds of the Internet. When a website is using certain versions of OpenSSL (
1.0.1f), the Heartbleed flaw allows a bad-guy to take a raw, unprotected sample of that website's memory. Allowing them to see everything that has
been recently sent to and from that website, unprotected.
Although the flaw has existed for two years, it was only recently discovered by Google security engineers. They informed OpenSSL of the problem so that a solution could be created
before announcing the problem to the public. OpenSSL made their public announcement on Monday, April 7th, 2014.
For the curious, a layman's explanation of how this flaw was given its graphic name can be found here.
What About "Private SSL Keys?"
Having your passwords compromised is bad enough. OpenSSL encryption relies on the exchange of a special key between a
visitor and the website they are using, all of which takes place automatically. Part of this key is supposed to remain private, a secret known
only to the website, never to the visitor. These are the keys that protect the information you share with a website, like your bank or online
store. They also ensure that the website you are visiting is actually who they say they are. That's what the
HTTPS:// or that
little padlock that appears in the address bar of your web browser means.
Although initially debated, the Heartbleed flaw has been proven
to allow the disclosure of the private key. This is particularly bad since a stolen private key could allow a bad guy to impersonate the
company it was stolen from or reveal what is sent between visitors and a company's website even long after the flaw has been patched.
Instructions for affected website owners can be found here.
This matters to you because you want to be able to trust that the information that you are sending and receiving from your bank's
website (or Facebook or some other place) is really going to and from the place you think it is. You want to be able to trust that
HTTPS:// or that little padlock in your address bar. If you learn that a company was affected by Heartbleed,
ask them if they have replaced their certificates or verify it for yourself.
What Is the Heartbleed Encryption Bug?
Was The Lones Group Website Affected?
No. Unlike many websites, TheLonesGroup.com does not use OpenSSL and was not affected by the Heartbleed vulnerability.
So Who Is Affected?
In some capacity, everyone. The flawed OpenSSL software is/was in use by about 2/3rds of the Internet. Not just websites, but phones, home networking equipment and many other
devices may be vulnerable if they are using a flawed version of OpenSSL.
On Tuesday, April 8th, as news of the flaw was being publicized, a test was done of the top 10,000 visited websites to see which were affected by this flaw. This list contains many prominent names, including:
Facebook, Instagram, Pinterest, Tumblr, Twitter, Google, Yahoo, Gmail, Yahoo Mail, GoDaddy, Intuit Turbo Tax, Dropbox, Amazon's cloud services and thousands more.
See the full top-10,000 list here.
When to Be Concerned
This probably won't impact you at your favorite news site and other places where you don't need to sign-in. However, for banking
websites, social networks and other websites where you share personal information, you should sit up and take notice. For example,
real estate professionals should check their:
|- MLS portal||- Brokerage portal|
|- IDX service||- Online document signing services|
|- Business banking services||- Cloud storage services|
|- Email portal websites||- Social media websites|
|- Any mobile app that you use where confidentiality matters.|
How Do I Protect Myself?
First, check to see if the website you want to visit is on this
top 10,000 list. If it is, test it to see if it is still vulnerable. However, your local credit union and other less
worldly websites you visit may not be on this list. For cases like that we recommend that you contact the institution by phone or email and find out three things:
- Were they vulnerable to the Heartbleed security flaw?
- If so, has it been patched?
- If so, have they replaced their security certificates?
How to Test a Website For the Heartbleed Vulnerability
Example of a site testing positive for the Hearbleed vulnerability.
Click to enlarge.
You can also test websites using an online tool to see if they are still vulnerable. Use the link below and simply type in the address of the website you are curious about:
Click here to test a website
The screen shot at right is an example of the flaw actively being exploited. The testing website has sent the target website a message
with the text
YELLOW SUBMARINE. The Heartbleed flaw is then used to read the vulnerable website's memory. This shows
that even though the connection to the website was secure, that text can be plainly read, unprotected, from the website's memory.
If you test a website and it is still vulnerable, do not share any information with that website. A prudent recommendation would be to not visit the website at all until
we know that they've either been patched or that the Heartbleed flaw definitively cannot reveal private SSL security keys.
How to Check That a Website Has Updated Its Keys
Sample certificate testing results. Notice the valid from
Click to enlarge.
Next, if you know that a website was vulnerable and is now fixed, but you want to be extra sure that they are safe to use again, then check the date on their security certificate.
You are looking for a date issued or valid from date that is ideally after April 7th, 2014.
Option 1: Use a Website
The easiest way to check is by using one of the many website's available which have online tools for this very thing. SSL Shopper has a
quick and easy to use online tool. At right is an example of the certificate Google.com being tested.
Check a certificate online
Option 2: Check It Manually
Your web browser can also tell you when a certificate was issued. Just follow these visual steps for your browser.
What About Passwords?
There are a couple ways you can look at your password security.
The Common Sense Approach
This flaw has existed for about two years. Common sense says that if you haven't visited the website you are
concerned about since before April 7th, then your password is is no less safe than it has been for the past two years. Widespread
publication of the flaw began on that date. We still recommend that you change your passwords occasionally, that's simply good
practice, and this is as good a time as any.
The Prudent Approach
Identify if the website in question was affected by this OpenSSL flaw. See above for how you might do that. If so and if it has been fixed and had new certificates installed
then yes, absolutely, change your password, pin and any other security pass that you use to control your access to that website.
If you want change your password, make sure that the website you are changing it at is no longer vulnerable before you do! See above for how.
If it is still vulnerable, you could be doing yourself more harm than good.
A Word of Caution
Be skeptical of any email you unexpectedly receive that asks you to reset your password. That email, even if it looks like it comes from a trustworthy source and even if the link appears to go to
the website in question, should not be trusted. If you receive such an email and decide to act upon it, don't click on the links in that email. Instead, manually visit the website itself
by typing the address into your web-browser's address bar and then use that website's password reset ("forgot password") tool on your own.
Don't think that it can't happen to you. Only days after Heartbeed was disclosed, the Canadian Revenue Agency had to
public access to its website because over 900 citizens data had been stolen using this flaw. Authorities have already arrested
a suspect, but this should be proof to you that criminals and curious alike are successfully abusing the Heartbleed flaw.
With a nearly two-decade background in programming, websites and database development, Randy Bowers has a lengthy and broad history of experience in online computing. As Director of Technology
for The Lones Group, Inc., Randy oversees technology projects and online company assets, including client website development, online marketing campaigns and planning our company's
technology position. On a typical day you'll find him programming new tools and providing friendly advice to help our clients grow with technology. When not at work he likes to spend
his time with his family, writing music, exploring kitchen chemistry, biking and playing video games. He can be reached at email@example.com.