Yes, it is a thing and it could impact you. In fact, it’s estimated that over two-thirds of the web has already been affected in some way.
So, what is Heartbleed?
Essentially, it allows third parties to see your information by eavesdropping on websites and accounts.
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Heartbleed was discovered a few months ago (by Google researcher Neel Mehta and the security firm Codenomicon) about two years after it had been introduced into the public domain, giving Blackhat hackers quite some time to gather information. The alert on it has been recently released to the public. While sites (like Google) are scrambling to patch any possible security flaws, there are things you can do to be safer on the web.
In What Users Can Do About the Massive Internet ‘Heartbleed’ Threat: Not Much, it’s made very clear:
“There is nothing users can do to fix their computers. They have to rely on the administrators of the websites they use,” said Mikko Hypponen, chief research officer with security software maker F-Secure of Helsinki.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.
“Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
Your computer is not infected, it’s the web, so until proper fixes are applied take measures to navigate it more safely.
Passwords aren’t enough.
Heartbleed is a good reminder that passwords alone aren’t enough security. However, if you haven’t changed your passwords already, I recommend you do so once you know the site’s server has been updated with the proper fixes. In fact, I would recommend changing your passwords seasonally for better security. Never use the same password on two accounts that matter and consider using a two-step sign-in process when offered.
When you’ve finished business in your account, log out. This way your account isn’t open and idle, making itself an easier target.
Watch your financial statements.
Many of us make purchases online. Attackers can access a server’s memory for banking and payment information, so it may be a good idea to lookout for unfamiliar charges on statements.
If anyone has questions, please use the blog form to reach us privately or leave a comment below and we’ll do our best to assist you. Watch this page. Updates will be made as we get them.
Stay safer and be good to yourselves and each other.
Note: Administrators can read the EFF’s recommendations in David Grant’s The Bleeding Hearts Club: Heartbleed Recovery for System Administrators.
Which sites have patched the Heartbleed bug?
A list of the top 100 sites across the Web, live and constantly updated, to see if the Heartbleed bug was patched.
For the ultra-security conscious, here’s Tor’s advice on Heartbleed: “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”
Google spokeswoman Dorothy Chou told Reuters: “We fixed this bug early and Google users do not need to change their passwords.”
Little Internet users can do to thwart ‘Heartbleed’ bug
[Note: I would advise after Google announces all fixes have been properly applied to all of its services to change the password. This seems especially critical since Google now forces most users to log into its services, including Blogger and YouTube, using one Google identity. The Chromebleed extension is currently announcing Blogger, Google’s blog service, may still be vulnerable at 5:21 AM EST. Please wait for all patches to be properly applied before changing your password(s) to Google services. – Gen]
[Note: Are you a Yahoo user? Once you know Yahoo has been completely updated with the proper fixes, I suggest you change the password on any and all services you use there. – Gen]
“We were able to scrape a Yahoo username & password via the Heartbleed bug,” tweeted Ronald Prins of security firm Fox-IT, showing a censored example.
‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords
GitHub user Mustafa Al-Bassam performed a mass scan for vulnerable sites at 16:00 UTC (noon US eastern time) on April 8th. It features over 10,000 websites, and he found that 627 of them were vulnerable to the bug. Yahoo sites (including email and Tumblr) were vulnerable, as was the popular dating site OkCupid.
See list here https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
Half a million widely trusted websites vulnerable to Heartbleed bug
Note: this also allows you to check a site.
A Canadian reader writes “The day I go to file taxes and Canada Revenue is shut down because of heartbleed LMAO”
Not just servers hit by OpenSSL’s Heartbleed – your PC and phone may be vulnerable too
There’s nothing you can do about the past
In the wake of the Heartbleed disclosure, system administrators have been scurrying to secure their systems, revoke certificates, check for other patches and change login data.
What these admins cannot do, however, is go back in time and prevent any person (or organization) who may have taken advantage of this vulnerability to access information not intended for them.
Even scarier, it’s not even clear that it’s possible to tell if anyone bypassed the vulnerability in the past. In other words — patching a system today is great — but that can’t prevent any silent destruction that has already happened.
[Note: Don’t panic. No one knows what (if any) data has been acquired and we can’t do anything about the past. However, we can take the measures highlighted in this article to move forward and be more security-minded. – Gen]