Heartbleed bug: What you need to know

​​​​​​​​​​​​​​​​​Request a Demo
Bored woman taking eLearning
Why Your eLearning May Not be Effective and What You Can Do About It
March 26, 2014
Blended Leadership Development Model
A Blended Learning Model for Effective Leadership Development
April 23, 2014

Heartbleed bug: What you need to know

Heartbleed is a catastrophic bug that affects thousands of sites and services across the internet, but what is it, and what do you need to do about it to protect yourself?

Heartbleed has grabbed the attention of the world’s media, but there has been a lot of misinformation bandied around. Here’s a quick rundown of the important bits you should know about.

What exactly is Heartbleed?

Heartbleed bug logo

Heartbleed is the nickname given to a bug in a piece of security software used by almost every secure website on the internet.

It is a flaw in a software package called OpenSSL, which is used by banks, shops, email providers and a variety of other services across the web to secure a connection between the user and the service.

Web servers that use SSL securely send an encryption key to the visitor, which is then used to protect all other information coming to and from the server.

Most people will recognise this secure connection as the little padlock symbol in the top left-hand corner of the web browser.

What does the bug do?

SSL is crucial in protecting services like online shopping or banking from eavesdropping, as it protects users from so-called man in the middle attacks, where a third party intercepts data during transit and uses it to discover confidential information.

Heartbleed allows hacking to read data assumed to be sent securely over the internet. That means that usernames and passwords as well as other confidential data could be read by cyber criminals.

How long has this been an issue?

The bug was introduced into the OpenSSL software in March 2012 and has been out in the wild for the past two years.

It has only now been revealed, but criminals have been able to exploit the bug since its inception in 2012. It is unknown whether any criminals have actively been exploiting the bug to steal user data, however.

Am I affected?

Hundreds of thousands of sites and services across the internet use a secure connection between a user’s computer and the website, and of those thousands, a large proportion of will be hit by Heartbleed.  A site being vulnerable to the Heartbleed bug, does not mean your data is compromised however.

There is a very high chance that at least one service that you use will be affected, but the degree to which it is affected will be different between sites and services. To avoid panic, it’s important to remember, a site may be affected by the Heartbleed bug, but subsequent layers of encryption can ensure that user data is never exposed.

The end result is that user data could now be intercepted and stolen across a myriad services that people use every day, including internet shopping sites, email accounts, online banking and even news websites.

What’s happening now?

The Heartbleed bug is quite easy to fix, but requires all the sites and services affected by the vulnerability to update their software and their security certificates.

Some, like Google, Yahoo and most banks, have already done that, but others will take time to roll out the fix.

Do I need to immediately change all my passwords?

There have been a lot of knee-jerk warnings in the media stating that you should immediately change all your passwords. This advice is wrong.

It is advisable to change all your passwords, but only once the sites have fixed the Heartbleed bug, especially if you reuse the same password across multiple sites and services. Changing your password before will only put that new password at risk of being stolen through the Heartbleed bug.

Once a site has fixed the Heartbleed bug, picking a secure new password for each service is crucial. A password should be complex, but memorable and should be unique for each different site or service.

If I just ignore it, will it all be all right in the end?

Heartbleed is certainly one of the most serious security bugs to hit the open internet, but panicked reactions have made it worse.

The Heartbleed bug will be fixed, if it hasn’t already been, by all the sites and services that most users use on a day-to-day basis. At that point changing your password should make your accounts secure once again, and users can then go on about their daily basis as they have done before.

Vigilance over the next weeks, including banking and shopping sites is advisable, just in case someone has managed to steal your credit card details while the bug was wide open.

For more information, you can visit http://heartbleed.com

2 Comments

  1. Claudia says:

    Hey Scott,
    This is great! Thanks for posting this valuable information. Just one question: How do you know when a site has been fixed so that you can go ahead and change your password?
    Thanks!

    • Scott Johnson says:

      Most sites are posting within their blogs, on their home page, or via social media regarding their progress with the fix. I’ve seen some show up under customer service sections, etc. When in doubt, I’d just email customer support.

Leave a Reply

Your email address will not be published. Required fields are marked *