Heartbleed: What is it?
The internet world was rocked this week by news of a dramatic security vulnerability (CVE-2014-0160) affecting websites across the internet. Specifically, it involves the encryption that webservers (and others) use to serve content in a secure way so that people in between cannot intercept it. More technical details can be found here, and a slightly less technical explanation can be found here. Read on for our much more delicately dumbed down layperson’s explanation:
Imagine two people, Dave and Samantha, shouting in the street. They use a secret language that only they know, so unless you know that language, you can’t intercept their secrets. That’s kinda like what SSL does. Now imagine that a scoundrel in between them figures out the language — he can now intercept their conversation. This is what happens when people find vulnerabilities to SSL — ways to circumvent or insert themselves into the stream of otherwise encrypted traffic. Usernames, passwords, private data. Bad, right? This is worse.
Now imagine that instead of merely overhearing and understanding Dave and Samantha’s conversation, you can simply plug into the brain of Samantha and download random snippets of her conversation. That’s essentially what this bug (in OpenSSL, specifically) resulted in. Yeah, it’s nasty.
It’s starting to make the rounds in the news – go check out Leo Laporte & co at TWiT for more discussion as well.
Website Owners: What should you do?
If you own or run a website of any kind that uses SSL for encryption, there are a few things you absolutely must do:
- Don’t panic. (Well, maybe panic a little.)
- Check if your website is hosted somewhere that is vulnerable to this bug. You can check by going here and putting in your website address:
- If your hosting provider is vulnerable, you can’t do anything until they fix it. They probably know, but may not — alert them via their support contacts.
- Once the bug is patched, you will need to replace the signed certificate that your website uses. If you don’t know what this means, or don’t know how to do it, find someone who does. Centresource can help!
- You will need to advise all the users on your site that your hosting provider was vulnerable to this bug, and that they should change their passwords.
Website Users: What should you do?
- Assume every website you use may have been vulnerable at some point to this bug. It’s not enough to check now — hosting providers are rapidly patching for this bug. If at any time they were vulnerable, your username and password could have been acquired.
- Before logging on to a website you use, check if the site is vulnerable or not:
- If it is, just wait. There’s nothing you can do until it’s fixed.
- If it’s not, log in, and change your password.
- Many sites encourage you to use your e-mail address as your username. Many people use the same passwords in multiple places. Shame on you — this is why you don’t! If someone has acqured your credentials from a vulnerable site — say, username firstname.lastname@example.org, password “terriblepassword123″ — they also now know that you use gmail. They also might guess that your password is “terriblepassword123″ there as well. And they’d be right.
- So, change that password, too.
- Basically, change all your passwords.
Centresource can help! We’re good at technology stuff. Drop us a line at http://centresource.com/contact or call Katy Ludington at (615) 636-3445