The critical SSL vulnerability called Heartbleed is in the news. Here we explain how it affects you.
What is Heartbleed?
Heartbleed is the name of a critical bug recently found in OpenSSL. OpenSSL is the most popular cryptology software in the world. This means that two-thirds of the web was vulnerable. Even worse is that they were vulnerable for about two years.
Yes, this issue hit major sites. Google, Amazon, and Facebook were vulnerable. Every major Linux vendor distributed versions of OpenSSL with this bug during the two-year time. All major websites have secured themselves. All major Linux vendors offer updated versions of OpenSSL.
The Heartbleed bug allows anyone to alter the SSL certificates and decrypt the data. If someone recorded all secured traffic from a site they now have a method to decrypt it to see what happened.
Fortunately, no evidence has yet suggested that this bug was ever exploited before its discovery. Unfortunately this is not likely the case anymore.
What Sites are Vulnerable to Heartbleed?
A site is vulnerable to Heartbleed if they ran OpenSSL in the last two years and have not:
- Installed a new patch.
- Installed new SSL certificates.
The first point addresses whether someone can use Heartbleed to breach a site’s security. You can use the excellent scanner from Filippo to see if a site is now vulnerable to Heartbleed.
The second point addresses whether someone can breach the site now after having breached the site before. The scanner from LastPass will tell you if a site ran a web server that was vulnerable to Heartbleed and when they last installed a new SSL certificate. If the SSL is more than 2-3 days old it’s likely vulnerable. Please note: LastPass reports definitely if a site was vulnerable. It does not mean they are definitely vulnerable now.
What Should I do?
What you need to do depends on who you are.
If you’re a server admin you need to update your version of OpenSSL. Additionally if your server runs SPDY you must install the latest version of mod_spdy. A SPDY-enabled server with a fully patched version of OpenSSL is still exposed until you install the new version of mod_spdy.
Check any site you visit. with the two scanners linked above. You are going to want to change your passwords on any vulnerable site. If a site was vulnerable you need to wait until after a server admin installs a patch to keep your identity secured.
It is not unreasonable to believe that any credit card used on the internet in the last two years is out there. You may want to have them cancelled.
What have we done?
We here at Brand Builder Websites have updated all of our web servers so that no sites are vulnerable to Heartbleed. We have also re-keyed all SSL certificates for sites that run an SSL. We value security and acted quickly to protect our clients and any of our clients’ clients.
Please leave a comment or respond to us on social media or through email if you have any questions related to Heartbleed or your site’s security.