Sorry

Your browser is very old and our website does not support it. Please upgrade your browser to a modern version or get in touch with us via the methods below.

Dot Ones is an IT support company based in Mayfair, London. We specialise in providing pro-active and honest support, maintenance and monitoring to small and medium sized business in London.

Sales: 0207 112 8912

Support: 0207 112 8456

Email: info@dotones.co.uk

Dot Ones Limited

46 Curzon Street, Mayfair

London W1J 7UH

  Dot Ones - Managed IT Support

Since the Heartbleed bug was officially announced on the 7th of March 2014 many Internet-savvy users were very concerned and anxious to know what they can do to protect themselves. Should we stop using the Internet, change passwords, helplessly wait until the developers of our favourite websites patch the problem or maybe we should do nothing at all?

What is the Heartbleed bug?

The Heartbleed bug is a security vulnerability in a component of OpenSSL – a cryptographic software that approximately 2 thirds of web sites rely upon to secure the traffic, passwords and any other sensitive information which is transmitted to and from visitors (clients). The vulnerability allows the attacker to extract small chunks of data from the servers recent memory or even from the client itself. When the data is extracted from the client the attack is called a “Reverse Heartbleed”. Both attacks produce more or less the same outcome – yours or the servers data becomes like an open book for an attacker to read and can contain anything from your name and your password to your bank details, the website administrators password or any other sensitive information which normally should be encrypted at all times.

It’s also quite ironic that the strength of your password doesn’t matter at all, it can be your pets name, your date of birth or a random 256 character long alpha-numerical string – it will be seen if an attacker extracts the data which contains it.

What’s also very interesting is that this security vulnerability could have been easily exploited since March 2012, as this is when the first OpenSSL version (1.0.1) was released which contained this bug. Whether some or numerous attackers knew about it immediately, months later or just recently and used it since, we will most probably never find out. We only know that it took that long to find it, admit to finding it and announce it to public. Either way I don’t think that we should ignore the fact that our security could have been compromised long before the Heartbleed bug was announced to the public.

WHat can we do?

What anyone who’s concerned is sure of is that we need to patch this vulnerability as soon as possible. However, the problem here is that the user himself can’t do much in this case and has to rely on website administrators to patch OpenSSL, but unfortunately that’s not all that needs to be done. Since there’s no way to tell whether the server was compromised or not, we have to assume that it was. This means that the servers private key might now be known, therefore it cannot be used anymore and has to be revoked. So now the administrator has to get and install the new certificate and also generate the new secret key. When that’s done the last step is for the user to replace his old password with a new password.

Heartbleed 16-04-14What initially seemed like a straight forward remedy for the vulnerability becomes a lengthy task, and that’s just for the administrator to complete. When we think about the user it gets even more confusing and complicated. Should the user change the password now or later for a certain website? Or should the user wait for the administrator of that website to complete all 3 remedy steps? How would the user know when that’s completed? What about the other websites?

The answer is very simple – change all of your passwords immediately and then again a week later and then again a month later and then again a few months later and again…

This shouldn’t come as a surprise to us as we all know and have heard the same thing about passwords for years:

- You shouldn’t use the same password on every website

- You should change your passwords often

If you were following these two rules above you’ll most probably be fine or at least better off than anyone who was ignoring them.

Unfortunately this is a harsh reality of the digital age and these kinds of flaws and vulnerabilities will come and go whether we like them or not. What we as users need to do is to prepare ourselves by minimising the “attack surface” as much as we can and following these two simple password rules will help us do just that.

  Dot Ones - Managed IT Support
Amin Fard

Amin Fard

2 Mar 2015

Next: HTTP2 Protocol: Can we browse Faster?

I’m sure I will be using this motto again but in a nutshell, to some of us, The Internet is Skype, Twitter, Facebook and YouTube or in other words all of those websites, applications and services we use on a daily basis to retrieve the information we require. To some others, mainly the technical bunch, […]

2 Mar 2015By Amin Fard

Amin Fard

Amin Fard

5 Dec 2013

Previous: What is Cloud Computing?

Cloud computing is often thought to be the one stop solution to scalability problems in the IT industry. Cloud computing – what is often known as ‘the Cloud’ – is a series of computing software and hardware resources that are accessible via a standard internet connection. The Cloud for Business To put the definition of […]

5 Dec 2013By Amin Fard

  Dot Ones - Managed IT Support

Search

  Dot Ones - Managed IT Support
Dot Ones - Managed IT Support

Switch Now

To a Dot Ones Account

Sign Up Below

Ready to switch? We'll call you back...