A lot of my friends, co-workers, even colleagues are still perplexed by this “Heartbleed” thing. It’s making the news, but in an effort to keep confusing tech news under a minute in their broadcast, reporters skim through the basics leaving the home audience confused. Here’s all you need to know about Heartbleed (CVE-2014-0160) as a basic user. Although some programs and even mobile apps will need updated, the majority of average home users only need to worry about the websites they visit. If you are running higher level software (Virtual Machines, Servers, etc…) you may need some more advanced information, but this article is for consumers, not IT Pros.
- Is there a fix? Heartbleed affects servers, not individual computers. There is likely nothing you need to install, update, patch, or fix on your computer or laptop.
- What it does: Heartbleed got its name from a “heartbeat” technology. A “heartbeat” is when your computer asks the server “are you still there?” before automatically logging you out. If you’re there and active, it keeps you logged in. Heartbleed would allow an attacker to send a heartbeat to the server, and request back more information than it was supposed to get. That information could be another user’s login details that were stored in the server’s memory. It would even be possible to get the private master key, which would allow an attacker to decrypt any password they could intercept to or from the server in question. Webcomic XKCD explains the exploit perfectly:
- What should I do? Early warnings told everyone that they should change their passwords. The problem is, changing your password won’t help if the website still has the same flaw. Before you change your passwords, check Heartbleed test to ensure the site you’re using has been fixed. If it returns green, go ahead and update your password on that website.
- Has my password been stolen? It’s doubtful. This was an early proof of concept, but after it was reported, it has since been exploited in the wild. Attackers would have to target specific websites and harvest information of users accessing the site around the same time as the attack is taking place. It has been reported that the Canadian equivalent of the IRS has seen this flaw exploited – so it is happening, out there. The scary part was that the glitch was found in OpenSSL, which is used by an estimated two-thirds of the sites on the web. Reddit, Tumblr, Wikipedia, Amazon, even the Minecraft game-servers were a tiny fraction of popular websites affected.
- The glitch has been fixed by OpenSSL, but it is up to various website administrators, app developers, etc… to update their servers. Again, your best option is to use the Heartbleed test site to ensure the websites you use have been updated, and then update your passwords on those websites.