Change your (everything) Password — Introducing the Heartbleed Bug

If you think you don’t need to read this post, you definitely need to read this post.

Heartbleed is a security vulnerability that was discovered this week. It probably affects you. First, the five W’s:

Who: Anyone who uses the web and uses https links. That’s probably you.
What: Heartbleed is a vulnerability that allows people to see the information you send to some websites that use OpenSSL. It’s a lot of them.
Where: Gmail, Yahoo, Tumblr, Flickr, Facebook…
When: The problem has been around for two years now, but nobody noticed it until this week.
Why: Honest human error.

You’ve probably noticed the letters “HTTP” preceding most web links. HTTP stands for “hypertext transfer protocol,” and by putting that in front of a web link you’re telling your web browser “Hey, what comes next is going to be a web page.” It’s kind of like saying, “the following message will be in English.”

Sometimes, you’ll see HTTPS instead. The S stands for “secure sockets layer” (or SSL for short), but you can think of that S as simply meaning “secure”. When you use HTTP, the things you read and send across the internet are sent in plain text. That means anyone with the means to do so who is looking and listening for your message can read what you are sending and receiving. With HTTPS, what you send and receive to and from websites is secure and encrypted. Even if someone were to intercept your message, if you are using HTTPS, the information would look scrambled and no one would be able to read it. This is why websites like Gmail and Facebook and your bank’s website default to HTTPS — because it’s secure.

Or, so we thought. Turns out, back in early 2012, someone made a mistake while updating OpenSSL. A big one. Well known security expert Bruce Schneier said on his website this week, “on a scale of 1 to 10, this is an 11.” This bug, which again was introduced in 2012, allows/allowed hackers to read information in certain HTTPS transfers. One frustrating thing about this bug is that there’s no way for servers owners to know if people were hacking them or not; all they can tell is if they were vulnerable or not. And it turns out, a lot of websites were vulnerable.

The good news is Heartbleed only lets attackers view a small portion of memory at a time, so there’s a chance nobody ever saw your password. The bad news is, this vulnerability has been around for two years now, so there’s no telling if you were affected or not.

Several sites including this link at Mashable.com are compiling lists of websites that were affected and have been patched. You’ll want to change your password on those sites. Some of the ones on that list currently include: Facebook, Instagram, Pinterest, Tumblr, Flickr, Google/Gmail, Yahoo/Yahoo Mail/AIM, YouTube, Etsy, GoDaddy, Netflix, Soundcloud, TurboTax, USAA, Box, DropBox, Github, and IFTTT.

Oh, and Minecraft.

This is a good time to remind you that if you use the same password on any other site that you also use on those sites, you should change that password too. Also, stop doing that.

So what about your bank or some other SSL page you want to test? Several “Heartbleed Testers” have been stood up online. Here’s one. Simply click the link and cut/paste the URL to your bank (or any other HTTPS web link) and the website will let you know if they are currently using a safe version of OpenSSL. Of course it doesn’t tell you if they had the bad version last week…

I spent a couple of hours last night changing my passwords on a bevy of services including Facebook, Twitter, Gmail, and more. You should to. It’s a pain in the butt, especially when you have multiple devices (phones, tablets, laptops) that will all need the news passwords, but you’ll thank me in the morning.

3 thoughts on “Change your (everything) Password — Introducing the Heartbleed Bug

  1. Two more things:

    Changing passwords for affected sites is crucial, but *after* they upgrade to a non-affected version of OpenSSL. Most sites upgraded very quickly, but if you change your password, then hear in a week from the site saying that you need to change it because of a recent upgrade, change it again.

    Also, some third-party software on your computer uses its own local copy of OpenSSL and is affected, so keep that software up to date. Secunia PSI is a good free tool for that: http://secunia.com/vulnerability_scanning/personal/

Comments are closed.