By now, it’s likely you’ve heard about the Heartbleed Internet security vulnerability, which has made headlines around the Web, albeit often with a level of hyperbole and technical detail that makes it difficult to evaluate. Let’s assume you’re not a system administrator, or in charge of a bank or ecommerce Web site (if you are, go read Troy Hunt’s write-up). What do you, as a normal user of the Internet, need to know, and more importantly, need to do? Thanks to our security editor, Rich Mogull of Securosis, for the bulk of this information.
What is the Heartbleed bug? -- It’s a security vulnerability that was introduced to OpenSSL about two years ago. OpenSSL is one of the most common software applications for implementing encrypted (SSL/TLS) connections to Internet servers; these are the secure
https connections that we all rely on to protect our communications when shopping, banking, and working with confidential information. SSL/TLS is used by more than just Web browsers too; lots of Mac and iOS apps rely on it behind the scenes as well.
The Heartbleed bug enables an attacker to read parts of the memory of a server directly, assuming it’s running a vulnerable version of OpenSSL and is configured in a certain way. Security researchers have shown that the bug can be exploited to reveal usernames and passwords, encryption keys, and anything else that’s transmitted or stored in the server’s memory.
How bad is Heartbleed? -- We won’t lie — it’s extremely bad, and among the worst security bugs we’ve seen in recent history. It enables attackers to break encryption and potentially access other sensitive information from the server. Worse, it does so invisibly, so Web site administrators can’t go back and check logs to see if the site has been attacked in the past.
Security expert Bruce Schneier calls Heartbleed catastrophic, saying “On the scale of 1 to 10, this is an 11.” Half a million sites may be vulnerable to the bug, according to Netcraft, although some later discussion suggests that the number may be smaller than initially believed. With this tool from Filippo Valsorda, you can test sites you use regularly, although negative results may not mean anything, since conscientious system administrators are installing a new version of OpenSSL that patches the bug quickly. For a more complete testing tool, check out the SSL Server Test from Qualys SSL Labs.
On the plus side, our Web sites for both TidBITS and Take Control are unaffected by the bug, and eSellerate, which runs our Take Control cart, tells us that their servers have never been vulnerable to Heartbleed.
Do the bad guys (or the NSA) now have my passwords? -- Maybe. Bloomberg reported that the NSA has been exploiting the Heartbleed bug for several years, although the White House denied any prior knowledge of the bug.
We don’t yet — and may never — know if anyone else has been exploiting the Heartbleed bug to harvest information before it became public on 7 April 2014. But because the bug is now public, you should assume that any vulnerable Web site is under active attack, and if you have logged in since the bug was exposed, it’s best to assume that someone may have your password and potentially any other data you transmitted in that session.
We realize that’s incredibly paranoid, but we have no way to know which sites attackers are watching. And don’t get the impression that Heartbleed requires a person to do the watching; any online criminal or intelligence agency worth its salt would be automatically hoovering up as much information as possible.
Should I change my password at every major site I use? -- No. Only change your password if both of the following are true:
- You know a site was vulnerable.
- You know it is now patched.
Heartbleed is a live exploit, which means changing your password on an unpatched site is more likely to expose it than doing nothing. Avoid vulnerable sites until you know they are fixed, and then go back and change your password. We expect responsible sites will notify their users once they are no longer vulnerable and will make all users change their passwords. That’s the other reason not to change your password now; if the site is vulnerable, you’ll just have to change it again once they patch their servers. Mashable has a list of major sites and whether or not they were affected.
What if I logged in the day before Heartbleed was public? -- There are two ways your password on a particular site could have been exposed before Heartbleed was revealed to the public:
One or more bad guys knew about the vulnerability within the past two years and have been collecting sensitive information during that time. That’s a worst case scenario, and again, we have no way of knowing if any criminals or intelligence agencies have been exploiting the Heartbleed bug all along. Criminals probably would have used the information quickly, while it was still relevant; governments would likely just sit on it.
A bad guy previously recorded encrypted traffic for the site, but couldn’t do much with it. Then, when Heartbleed became public, he used it to steal the private key of the site’s server before it was patched, after which he can use the private key to decrypt the previously recorded traffic. This is likely something only a government could or would do.
Are my passwords stored in 1Password or LastPass safe? -- Yes, stored passwords are safe. In the case of the 1Password application from AgileBits, there’s no need to worry at all, since 1Password isn’t built on SSL/TLS in general, nor upon OpenSSL in particular.
LastPass requires more explanation, since the service is Web-based and the company’s servers do rely in part on OpenSSL. In fact, until LastPass patched its servers (shortly after learning about Heartbleed), Filippo Valsorda’s tool would have shown
lastpass.com as vulnerable. But that’s deceiving, because the LastPass browser extensions actually encrypt all your sensitive data with a key that LastPass’s servers never see, so your data is never transmitted using SSL without first being encrypted with this additional key. So even if a bad guy was eavesdropping on LastPass’s servers, breaking the SSL encryption
would reveal only more encrypted data. So, no need to worry about that. As an aside, LastPass has incorporated a Heartbleed vulnerability check into the service’s Security Challenge feature.
There are many other password management tools out there, and if you use something other than 1Password or LastPass, check your utility’s site and see what the company is saying on its blog or support pages. And if the company isn’t sufficiently transparent to comment on the issue, we recommend looking for a different tool.
What should I do? -- Right now, unless you are a server administrator, there isn’t much you can do. Test important sites you are worried about, and don’t log into those that are vulnerable until they are patched. Keep an eye on your email inbox, and as you get notifications from affected sites telling you to reset your password, do so. As always, if you’re concerned about the possibility of phishing, enter the site’s URL directly into your browser rather than clicking a password reset link. Yell at any vulnerable site that doesn’t patch in the next few days.
If you are a server administrator of a vulnerable site, install the OpenSSL patch, revoke old SSL certificates, and generate new certificates and private keys. Do it yesterday.
There is a lot of hyperbole out there right now. Yes, Heartbleed is as bad as it gets for those of us who manage servers or are in the security industry, but the practical risk to most people isn’t the worst thing we’ve seen on the Internet. That said, we’re not complaining about the hyperbole, because it helps us pressure the people that do manage the servers to fix them as soon as possible.
In short, the Internet isn’t melting down, but the people who manage vulnerable systems probably won’t be sleeping for a while. If you have other questions, feel free to ask them in the comments, and we’ll do our best to answer them and update this article as appropriate.