SECURITY Technology

WTF is #Heartbleed? And should I hoard gold?

There doesn’t seem to be a tech, a hacker or a tech-savvy food service employee out there who isn’t sounding the alarm about a threat called Heartbleed. I’ve been doing a lot of liveblogging of my discoveries re: various institutions and companies and their preparations for Heartbleed. But I’ve not yet had the opportunity to sit down and summarize what we know about the threat so my audience can understand it.

First and foremost, Heartbleed is not a virus, malware or spyware. It’s not a “bug” in the sense that we discuss various threats these days. Running McAfee on your system will not help. Instead, Heartbleed is a vulnerability in the fabric of what allows for confidential communications over the Internet. In other words, those websites you access with https:// in the address, rather than http:// When exploited, Heartbleed has the power to render visible the information that was supposed to be confidential, including usernames and passwords, confidential data and worst of all, the keys a given service uses to make all future communications secure.

Well, damn. That certainly sounds bad. And it is: Heartbleed attacks a form of communication that is nearly ubiquitous on the modern Internet where security is a concern.

But before you go to all the trouble of refreshing the potpourri and washing the doilies in the bomb shelter, let’s talk about what it can and cannot do, and how you can protect yourself without going broke on duct tape.

The Whole Internet is Not Busted

When a security vulnerability like this comes around, often people find themselves trapped between blase attitudes and hair-on-fire panic of their friends and neighbors. But to be clear: only websites that you browse using https:// are affected, and not all of them, either.

An example of an https:// website.
An example of an https:// website.

Any site you browse using http:// is the same as it ever was. What makes the difference between the https sites that are and are not affected? Well, let’s talk about that.

How Heartbleed works

The heart of the problem is something called Secure Sockets Layers (SSL), which creates encrypted “tunnels” of information between you and the service you are connecting too. When communicating through these tunnels, all information is scrambled in a way that is unreadable to a would-be snoop. Examples of SSL tunnels would include https sites, SSH shells, FTPS and the ubiquitous VPS connections many employees have to their employers’ systems.

Heartbleed is a vulnerability in one common Open Source implementation of SSL, called OpenSSL. In this implementation, there is a means for completely unauthenticated users – complete strangers on the Internet – to be able to read the information held on the memory of servers that deliver SSH content. Worse than simply seeing the actual confidential data you meant to hide, this new vulnerability provides the “keys to the kingdom,” allowing an attacker to see the username and password of a legitimate user and also the keys by which the server provides secure content. That means any further connections to that server using those keys will be compromised.

So, yeah. Its pretty damned serious, indeed. And because use of OpenSSL is so ubiquitous, the potential harm to the online community is pretty vast and staggering.

There’s Good News, Too

But there are many more sites that do not use the OpenSSL system to encrypt their data, and as of the time of this writing, those SSL systems remain unaffected by Heartbleed. In particular, your bank, PayPal and anyone dealing with PCI-compliant eCommerce (which should be just about everyone doing eCommerce, we hope) are all unaffected by Heartbleed.

There are many more encryption algorithms that are not related to OpenSSL and do not require any kind of patching or security fixes. And the fix for OpenSSL is also freely available; most credible services are already locking down their SSL connections. Therefore, even a site that is currently using OpenSSL isn’t any less secure by nature than any other.

What is the Solution?

Because the fix for OpenSSL’s Heartbleed bug, server admins are busily patching their systems and where necessary, reissuing keys for affected systems. And you can bet that OpenSSL’s next build will come with the patch already implemented.

However, once a server has been patched, the next step is to reissue keys and have users encrypt their passwords with those new keys. That’s why you may have gotten emails from stuff you do online recommending you reset your password.

Should I Just Start Resetting Passwords, Then?

No. First of all, while it’s always recommended that you update passwords on a regular basis and I’ve even given you a handy guide to creating secure ones, doing so en masse promises to create confusion. There’s no sense making the situation worse by forgetting new passwords or creating a bunch of duplicates.

But secondly and much more important in this case, resetting your password will only be effective after the SSL keys are regenerated. So if Company X is affected by Heartbleed – and hasn’t yet secured their servers – resetting your password changes nothing. And after they’ve secured their servers, they’re just going to ask you to change your password again, because that’s exactly what is required.

Your best bet if you’re concerned about your security online is ask, ask, ask. Find out if your bank or social network is affected by Heartbleed by asking them. Check your list of sites you frequent and find out what you should do about them.