Heartbleed – Everything you need to keep your site protected.
What is Heartbleed?
‘Heartbleed’ is a serious security bug present in the popular Open-SSL library, the security technology used to establish an encrypted link between a web server and a browser. While browsing a site that uses an SSL, you see https:// at the start of the link to the site in the address bar, and the lock icon in your web browser.
The Heartbleed bug could allow attackers to access private memory on a web server. That memory could contain user passwords, credit card numbers, private security keys, or other such information; and is a major security problem that continues to affect, millions of websites that use Open-SSL.
A fixed version of OpenSSL was released on April 7, 2014, about the same time as Heartbleed was publicly disclosed. Since the bug was discovered, most hosting and security companies that provide websites with OpenSSL certificate have been working round the clock to apply patches and take necessary steps to ensure that the websites (protected by certificates they provided), are not left open and vulnerable to attacks by persons with malicious intentions.
Who Was Impacted?
Any site that uses an SSL or that may have an https:// at the beginning of its URL, or any of the URL’s within, is susceptible to the Heartbleed bug. More than half of the 1000 most popular websites use SSL in some form on their site. Virtually any site you log into, input payment information on, or have an account with, is going to have SSL installed simply to secure your information. Social media sites, ecommerce sites, shopping engines, online banking and web-based email clients – they all use it. The Heartbleed bug affected even major sites like PayPal, Amazon, Google and other big players.
Are You Vulnerable? How to Check – What To Do
If your websites uses an SSL certificate, you could check to see which version of OpenSSL you are running. Affected versions include OpenSSL version 1.0.1 through version 1.0.1f. as well as version 1.0.2-beta and 1.0.2-beta1 or you could submit your website’s domain here, to check if your website is vulnerable to Heart Bleed.
If you find your website is vulnerable, you could contact your SSL provider or your websites hosting company, and insist that they provide you with the latest version of SSL encryption, or that they patch or remove the heartbeat extension so that your webstore is safe for the foreseeable future.
It is also advisable that website owners reset user passwords and replace their current SSL certificate if it is vulnerable. Although this may seem like a lot of work, but taking these important steps to protect consumer data would help avoid any scare in the future.
Most major companies that operate on an SSL framework have already applied the security patch that was released earlier this month, effectively closing the door through which attackers could enter. There may be some smaller companies however – some with fewer resources – that have not been able to get around to installing the patch just yet.
At any rate, just to be safe, you can run any site you plan to log into through this site, and it will reveal any Heartbleed-related problems you should be aware of before going forward. Mashable also has a good list of major websites that have been affected.
Other Precautions You Could Follow:
There are also a few other steps you can take to ensure your personal data and information is not at risk due to Heartbleed:
– Log in and out of every session in your web browser – your email, your accounts, your social sites, anything else you have open. This will ensure you are using the most updated, secure version of the site’s SSL framework.
– After you are able to confirm that a site has in fact installed the security patch, log into your account and change your password. Though there is no way to confirm if your password or account information was leaked via Heartbleed, changing your password can ensure that even if it was, no hacker could use it to access your account.
– You can also check this comprehensive list by GitHub. It names any known sites that are vulnerable to the Heartbleed bug, so you can steer clear in your web browsing.
The worst part about the Heartbleed bug is that there is no way to know whether your accounts or personal data have been affected. Since the vulnerability has existed for at least three years, any savvy hacker could have accessed it during that time. The only way to proceed now is to move forward, install the patch, and be extra diligent about the sites you log into or buy from in the near future.