Heartbleed...What is it? Am I affected by it? And how do I protect myself from it?



What is it?  Am I affected by it? And how do I protect myself from it?

All good questions.  Let’s answer the first question: What is it? 

Heartbleed actually refers to a bug in a piece of software called OpenSSL and the bug has existed since the version that was released on Mar. 14th, 2012.  Whether you realize it or not, you use it every day.  OpenSSL is the most popular implementation of securing website traffic available but it is also used in many other widely used applications.  The vulnerable versions of OpenSSL cover about 66% of all websites on the Internet that use encryption.  Some examples of  sites that used the affected OpenSSL version include the Canada Revenue Agency, Facebook, Google, Dropbox, and Yahoo.

You can think of OpenSSL as the Bat Phone between you and the website that you are accessing.  Both parties trust that everything that you are talking about is secure and that no one can listen in on the conversation.  Heartbleed allows an attacker to tap into the conversation and listen, undetected.  They can then steal any information that you thought was confidential, like your username and password.  Worse, still, they steal the private keys from the server that makes having a private conversation possible.

Am I affected by it?

This is an “it depends” question.  The bad news is that the vulnerability has been in the wild for about 2 years and the good guys just noticed it.  The good news is that all the Canadian banks have come out and said that they were not vulnerable to Heartbleed.  Some of the other major providers that don’t seem to be affected are Amazon, Apple, eBay, PayPal, Microsoft, LinkedIn, Salesforce, GoDaddy, and Walmart.  Any companies that rely on Microsoft’s IIS web server are not vulnerable to Heartbleed because it does not use OpenSSL as its encryption engine.  This is not to suggest that companies listed used IIS, they may have just been using a different SSL engine.

The vulnerability only allows the attacker to steal information that is currently being processed.  An example would be when you were logging into a website and at the same time, an attacker was listening in and stealing your information.  The issue is that the attacker may have also been listening in when an administrator was logging in.  In which case, the attacker now has full admin rights.

How do I protect myself from it?

The first thing you should do is to change your passwords. However,  at this point,  that is still even up in the air because the vulnerability affects the web servers, not your computer or device.  The sites that you use have to not only patch their servers but they also need to change their private keys.  The amount of work to patch 66% of the web’s servers and to change all their private keys is a massive task that will take a few days, if not a full week to complete.  Some may not be able to do until they update their entire software stack, which could take up to a month or more.

In about a week, you should probably change your passwords one more time.  In future, the best way to defend yourself against these types of vulnerabilities is to have unique passwords for every site.  This will limit your exposure to any vulnerability.