The Heartbleed bug: here’s what is it, and how you can protect yourself
Adam Oxford explains how to minimise risk from the internet's gaping security hole
You may not have noticed, but the internet went into high alert yesterday after it was discovered that a crucial piece of code used for encrypting traffic between web browsers and secure servers had a serious flaw in it.
The flaw is so big and so extreme, it’s possible that someone has had access to secure keys used to encrypt everything from ecommerce to government services for the last three years.
Remember all those times we told you to make sure there was a padlock symbol on your browser before typing in things like bank details or credit card numbers? Seems like that may not have been quite enough to protect you after all.
What is Heartbleed?
The bug itself is officially designated CVE-2014-0160, but it goes by the nickname ‘Heartbleed’ – so called because it affects a piece of code called ‘heartbeat’, which some servers run at the time when encryption ‘keys’ are exchanged using a program library called OpenSSL. Essentially, if a server is vulnerable to Heartbleed, anyone can remotely read the current contents of its memory simply by calling up heartbeat and listening to the response.
What Heartbleed reveals is 64Kb of data from active memory – the information stored in system RAM that your computer is working on right now. Most of the time, this is likely to be utter gibberish – weird combinations of meaningless characters and hexadecimal numbers. But not always – with enough patience commentators at Hacker News were using Heartbleed to monitor Yahoo!’s mail servers until they were patched and described the process of capturing email addresses and passwords as “trivial”.
Worse yet, an attacker using Heartbleed may be able to capture a server’s security certificates and master keys from memory – allowing them to spoof that server for phishing attacks in future. Likewise they’ll be able to grab encryption keys generated from your machine as you log on to that website.
Some two thirds of web servers run OpenSSL, and as well as Yahoo! other well known services like Lastpass and – indeed – OpenSSL.org have been affected.
So, should I panic?
Probably not, although a certain amount of trepidation is probably wise. The good news is that patches are available to prevent Heartbleed already, and you should update your PC as soon as possible. Also, it doesn’t appear that the bug was widely known before today.
Many online services, including most banks, don’t use OpenSSL at all, so your credentials there should be safe.
The bad news is that there’s literally no way of knowing whether or not someone has launched a Heartbleed attack on a particular server in the past or what information they have been able to read from it at the time.
It seems safe to argue that if it was being widely used, the damage this bug could cause would have been exploited in a noticeable way. In a similar way, the long standing exploits in the same security layer that were discovered on Apple and Linux computers recently don’t seem to have been widely exploited – but there’s no way to be sure.
The real question is not ‘should I panic?’, rather it’s ‘what can I do about it?’ The reality of that is that you’re heavily reliant on the web servers you use.
The team that discovered Heartbleed recommends that site owners update their software as soon as possible, and then inform users that they may have been at risk and that they should change their passwords and clear any browser cookies (which may use compromised data) out right away. If you change your password before the server is patched, you run the danger of having your new one compromised if the server is still insecure.
Also, it’s not enough for a server owner to simply upgrade the software. New security certificates should also be purchased and applied rendering any old ones captured invalid.
Unfortunately, it appears that many websites are updating their OpenSSL software, but they are not informing users as they do so. So the best advice is probably to change as many of your passwords as you think might have been at risk now, and then do so again in the future. Also, there’s no way of being sure old certificates have been revoked after an upgrade.
You can check to see if a website is currently vulnerable using the online tool filippo.io/Heartbleed, which essentially performs a Heartbleed attack without revealing any critical data to you.
So, what should I do?
Check any sites you log onto with filippo.io/Heartbleed and make a note of the ones that are still vulnerable. If they are, make a note and check back again in week or so to see if they’ve been patched. If they haven’t been patched, don’t use them again – at least not for information you need to protect.
For maximum peace of mind, delete all cookies, saved passwords and site data from your browser cache now, and change as many passwords as you can – especially those for services that carry a lot of critical data (like banks and online shopping sites).
Don’t change passwords of any compromised sites until they’re fixed, as by doing so, you’ll be at opening yourself up to unnecessary risk.
Use good password practice – create a unique password for every site, so that if one login has been compromised it won’t affect all your others. Make your passwords unmemorable, just long strings of random characters, and store them in a secure vault like Lastpass or 1Password (Lastpass was vulnerable to Heartbleed, but since it doesn’t store user data – like your passwords – in memory none of the password vaults were compromised).