Heartbleed in a Nutshell

by Catherine Hillman on April 10, 2014

heartbleed flower

By now you have probably heard about the security threat discovered recently that affects up to 2/3 of all websites that use secure login technology.

The news may seem alarming and confusing all at the same time. This is, in many ways, like the news of a major flu epidemic – you have to wonder, “have I been exposed? What is about to happen?” And similar to fighting invisible germs, you have no overtly obvious way of knowing if you’ve come in contact with a website that has been compromised by the Heartbleed vulnerability, or whether that contact will result in some sort of infection. This is an exposure where the symptoms may take a long time to come to light.

The vulnerability affects many sites that use an encrypted login – whether that is a financial site, a shopping site, or a site which asks for your personal information to be sent over the web in a form that is protected. If you pay attention to this sort of thing (and you should) you would know this by seeing the “https://…” in the address of the web site, and by the lock icon at the bottom of the browser page.

This includes a LOT of web pages you’ve visited, so chances are, you have indeed been exposed. Whether or not that results in a compromise of your personal information or finances is something you DO have control over. 

The best response to the Heartbleed vulnerability is similar to the best response to news of a flu epidemic: Prevention.

  •  We stave off the flu by getting a flu shot, limiting our exposure to sick people, washing our hands or using sanitizer, and staying informed.
  •  We stave off our exposure to internet vulnerabilities by using safe passwords, changing them often, avoiding risky sites, and staying informed.

Currently, the companies who are using a certain generation of security software (called SSL/TLS) know they have been affected, and they are cleaning up their sites (getting their flu shots, taking their medication, and going back to the doctor for a note saying they are healthy). Once they have cleaned up their sites, they are considered safe to interact with again. Some big sites are still under quarantine, and others have already been released with a clean bill of health. This process is taking time, but should be completed by sometime next week.

The problem is, knowing which sites are safe is a moving target – which is why changing your password before the site is healthy will not help you. Changing your passwords is a GREAT idea, and you should do this every six months, just as you should take precaution on an annual basis against the flu. Changing your passwords now, and then again next week, is the equivalent of getting your flu shot against the Heartbleed vulnerability.

To be relatively safe, change your passwords this weekend, then change them again on Wednesday or Thursday of next week.

Yes, it’s a pain.  
Yes, it takes time.
But your safety is worth it, right?

~ Catherine Hillman

 

 photo by crazybutterfly95-flickr

{ 3 comments… read them below or add one }

Leave a Comment

IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

What is 9 + 2 ?
Please leave these two fields as-is:

Previous post:

Next post: