Since the Heartbleed bug was officially announced on the 7th of March 2014 many Internet-savvy users were very concerned and anxious to know what they can do to protect themselves. Should we stop using the Internet, change passwords, helplessly wait until the developers of our favourite websites patch the problem or maybe we should do nothing at all?
What is the Heartbleed bug?
The Heartbleed bug is a security vulnerability in a component of OpenSSL – a cryptographic software that approximately 2 thirds of web sites rely upon to secure the traffic, passwords and any other sensitive information which is transmitted to and from visitors (clients). The vulnerability allows the attacker to extract small chunks of data from the servers recent memory or even from the client itself. When the data is extracted from the client the attack is called a “Reverse Heartbleed”. Both attacks produce more or less the same outcome – yours or the servers data becomes like an open book for an attacker to read and can contain anything from your name and your password to your bank details, the website administrators password or any other sensitive information which normally should be encrypted at all times.
It’s also quite ironic that the strength of your password doesn’t matter at all, it can be your pets name, your date of birth or a random 256 character long alpha-numerical string – it will be seen if an attacker extracts the data which contains it.
What’s also very interesting is that this security vulnerability could have been easily exploited since March 2012, as this is when the first OpenSSL version (1.0.1) was released which contained this bug. Whether some or numerous attackers knew about it immediately, months later or just recently and used it since, we will most probably never find out. We only know that it took that long to find it, admit to finding it and announce it to public. Either way I don’t think that we should ignore the fact that our security could have been compromised long before the Heartbleed bug was announced to the public.
WHat can we do?
What anyone who’s concerned is sure of is that we need to patch this vulnerability as soon as possible. However, the problem here is that the user himself can’t do much in this case and has to rely on website administrators to patch OpenSSL, but unfortunately that’s not all that needs to be done. Since there’s no way to tell whether the server was compromised or not, we have to assume that it was. This means that the servers private key might now be known, therefore it cannot be used anymore and has to be revoked. So now the administrator has to get and install the new certificate and also generate the new secret key. When that’s done the last step is for the user to replace his old password with a new password.
What initially seemed like a straight forward remedy for the vulnerability becomes a lengthy task, and that’s just for the administrator to complete. When we think about the user it gets even more confusing and complicated. Should the user change the password now or later for a certain website? Or should the user wait for the administrator of that website to complete all 3 remedy steps? How would the user know when that’s completed? What about the other websites?
The answer is very simple – change all of your passwords immediately and then again a week later and then again a month later and then again a few months later and again…
This shouldn’t come as a surprise to us as we all know and have heard the same thing about passwords for years:
- You shouldn’t use the same password on every website
- You should change your passwords often
If you were following these two rules above you’ll most probably be fine or at least better off than anyone who was ignoring them.
Unfortunately this is a harsh reality of the digital age and these kinds of flaws and vulnerabilities will come and go whether we like them or not. What we as users need to do is to prepare ourselves by minimising the “attack surface” as much as we can and following these two simple password rules will help us do just that.