The Normal Person’s Guide to the Heartbleed Vulnerability
By now, it’s likely you’ve heard about the Heartbleed Internet security vulnerability, which has made headlines around the Web, albeit often with a level of hyperbole and technical detail that makes it difficult to evaluate. Let’s assume you’re not a system administrator, or in charge of a bank or ecommerce Web site (if you are, go read Troy Hunt’s write-up). What do you, as a normal user of the Internet, need to know, and more importantly, need to do? Thanks to our security editor, Rich Mogull of Securosis, for the bulk of this information.
What is the Heartbleed bug? — It’s a security vulnerability that was introduced to OpenSSL about two years ago. OpenSSL is one of the most common software applications for implementing encrypted (SSL/TLS) connections to Internet servers; these are the secure
https connections that we all rely on to protect our communications when shopping, banking, and working with confidential information. SSL/TLS is used by more than just Web browsers too; lots of Mac and iOS apps rely on it behind the scenes as well.
The Heartbleed bug enables an attacker to read parts of the memory of a server directly, assuming it’s running a vulnerable version of OpenSSL and is configured in a certain way. Security researchers have shown that the bug can be exploited to reveal usernames and passwords, encryption keys, and anything else that’s transmitted or stored in the server’s memory.
How bad is Heartbleed? — We won’t lie — it’s extremely bad, and among the worst security bugs we’ve seen in recent history. It enables attackers to break encryption and potentially access other sensitive information from the server. Worse, it does so invisibly, so Web site administrators can’t go back and check logs to see if the site has been attacked in the past.
Security expert Bruce Schneier calls Heartbleed catastrophic, saying “On the scale of 1 to 10, this is an 11.” Half a million sites may be vulnerable to the bug, according to Netcraft, although some later discussion suggests that the number may be smaller than initially believed. With this tool from Filippo Valsorda, you can test sites you use regularly, although negative results may not mean anything, since conscientious system administrators are installing a new version of OpenSSL
that patches the bug quickly. For a more complete testing tool, check out the SSL Server Test from Qualys SSL Labs.
On the plus side, our Web sites for both TidBITS and Take Control are unaffected by the bug, and eSellerate, which runs our Take Control cart, tells us that their servers have never been vulnerable to Heartbleed.
Do the bad guys (or the NSA) now have my passwords? — Maybe. Bloomberg reported that the NSA has been exploiting the Heartbleed bug for several years, although the White House denied any prior knowledge of the bug.
We don’t yet — and may never — know if anyone else has been exploiting the Heartbleed bug to harvest information before it became public on 7 April 2014. But because the bug is now public, you should assume that any vulnerable Web site is under active attack, and if you have logged in since the bug was exposed, it’s best to assume that someone may have your password and potentially any other data you transmitted in that session.
We realize that’s incredibly paranoid, but we have no way to know which sites attackers are watching. And don’t get the impression that Heartbleed requires a person to do the watching; any online criminal or intelligence agency worth its salt would be automatically hoovering up as much information as possible.
Should I change my password at every major site I use? — No. Only change your password if both of the following are true:
- You know a site was vulnerable.
- You know it is now patched.
Heartbleed is a live exploit, which means changing your password on an unpatched site is more likely to expose it than doing nothing. Avoid vulnerable sites until you know they are fixed, and then go back and change your password. We expect responsible sites will notify their users once they are no longer vulnerable and will make all users change their passwords. That’s the other reason not to change your password now; if the site is vulnerable, you’ll just have to change it again once they patch their servers. Mashable has a list of major sites and whether or not they were affected.
What if I logged in the day before Heartbleed was public? — There are two ways your password on a particular site could have been exposed before Heartbleed was revealed to the public:
- One or more bad guys knew about the vulnerability within the past two years and have been collecting sensitive information during that time. That’s a worst case scenario, and again, we have no way of knowing if any criminals or intelligence agencies have been exploiting the Heartbleed bug all along. Criminals probably would have used the information quickly, while it was still relevant; governments would likely just sit on it.
- A bad guy previously recorded encrypted traffic for the site, but couldn’t do much with it. Then, when Heartbleed became public, he used it to steal the private key of the site’s server before it was patched, after which he can use the private key to decrypt the previously recorded traffic. This is likely something only a government could or would do.
Are my passwords stored in 1Password or LastPass safe? — Yes, stored passwords are safe. In the case of the 1Password application from AgileBits, there’s no need to worry at all, since 1Password isn’t built on SSL/TLS in general, nor upon OpenSSL in particular.
LastPass requires more explanation, since the service is Web-based and the company’s servers do rely in part on OpenSSL. In fact, until LastPass patched its servers (shortly after learning about Heartbleed), Filippo Valsorda’s tool would have shown
lastpass.com as vulnerable. But that’s deceiving, because the LastPass browser extensions actually encrypt all your sensitive data with a key that LastPass’s servers never see, so your data is never transmitted using SSL without first being encrypted with this additional key. So even if a bad guy was eavesdropping on LastPass’s servers, breaking the SSL encryption
would reveal only more encrypted data. So, no need to worry about that. As an aside, LastPass has incorporated a Heartbleed vulnerability check into the service’s Security Challenge feature.
There are many other password management tools out there, and if you use something other than 1Password or LastPass, check your utility’s site and see what the company is saying on its blog or support pages. And if the company isn’t sufficiently transparent to comment on the issue, we recommend looking for a different tool.
What should I do? — Right now, unless you are a server administrator, there isn’t much you can do. Test important sites you are worried about, and don’t log into those that are vulnerable until they are patched. Keep an eye on your email inbox, and as you get notifications from affected sites telling you to reset your password, do so. As always, if you’re concerned about the possibility of phishing, enter the site’s URL directly into your browser rather than clicking a password reset link. Yell at any vulnerable site that doesn’t patch in the next few days.
If you are a server administrator of a vulnerable site, install the OpenSSL patch, revoke old SSL certificates, and generate new certificates and private keys. Do it yesterday.
There is a lot of hyperbole out there right now. Yes, Heartbleed is as bad as it gets for those of us who manage servers or are in the security industry, but the practical risk to most people isn’t the worst thing we’ve seen on the Internet. That said, we’re not complaining about the hyperbole, because it helps us pressure the people that do manage the servers to fix them as soon as possible.
In short, the Internet isn’t melting down, but the people who manage vulnerable systems probably won’t be sleeping for a while. If you have other questions, feel free to ask them in the comments, and we’ll do our best to answer them and update this article as appropriate.
I typed apple.com, icloud.com, and me.com in the tester and got broken pipe messages. .??
The tool's FAQ suggests that this probably indicates some sort of counter-measure that's closing the connection when it detects the heartbeat. Very likely safe, in other words.
The ssl certificates for apple and icloud have www. in front, and www.apple.com passes. www.me.com doesn't but I expect that because it's deprecated these days and it's just redirecting to icloud or some other server.
Marco Arment recommends SSL Labs server test:
and it's disturbing how many ways ssl can fail. The banks I use pass with A or A- (whew!), but a lot of stores fail miserably at security, even though they pass the heartbleed test. You do need to find the right shopping server name--eg www.newegg.com fails, but secure.newegg.com gets a B.
Nice article, tnx! Only one point in your advice in "What should I do" is this sentence: 'Keep an eye on your email inbox, and as you get notifications from affected sites telling you to reset your password, do so'
Seem to me this sentence is 'the wet dream' for those using this crisis for sending fishing emails...
Good point - I'll encourage people to visit the site directly rather than following a link, if they're concerned.
Listen to Steve Gibson on the Security Now podcast #450. He has a long segment on the Heartbleed vulnerability.
Most important, Steve says that it's not enough for a vulnerable site to patch the OpenSSL or switch to a non-vulnerable version. Since the site may have been compromised for up to two years, its SSL certificates are suspect. The site should revoke its certificates and get new ones! He explains how to check for this in your browser.
He recommends SSLLabs.com to check vulnerability of sites, saying that filippo is unreliable, and gives false negatives and false positives.
Steve references a report by Netcraft that suggests the problem is not as widespread as mainstream media are reporting. Still, something to take seriously!
I highly recommend listening to the podcast. But if you're in a hurry, here are the show notes: https://www.grc.com/sn/sn-450-notes.pdf
I don't know why most are suggesting that, as soon as a site has been patched, you can update your passwords and relax. LifeHacker published the following on one of their Heartbleed articles:
"Update: This list unfortunately doesn't specify if the companies have revoked and reissued their security certificates, which is important for the utmost precaution for them to do before you change your passwords. Most of the companies' statements say they've patched the issue or applied the appropriate fixes, but the certificate status is unclear. So even if the sites are saying everything's fixed, it's better to wait until you know for sure if the certificates have been updated. "
agilebits (makers of 1Password) says it very well:
"Once a service upgrades to a fixed version of OpenSSL (or to some other cryptographic library), they will need to revoke the certificate that they had been using with with the vulnerable version of OpenSSL and obtain a new certificate. Exactly how long that takes will depend on how quickly they can get things sorted out with their certification authority. Certification authorities are going to be very busy over the next few weeks.
Only after a new, certified certificate is in place on a server that is not using a broken SSL/TLS library will it make sense for you to update your password for that service (or even trust your communication with it). Most of us simply have to wait until notified by various websites and services when and whether we should change passwords."
I've updated the site with links to the Mashable list of sites and the news that the NSA has been exploiting Heartbleed for years.
What a world we live in.
FWIW - An NPR article I read last night denied that the NSA had been using Heartbleed and said the gov't would not withhold Zero Day type bug information from the public.
Exactly! And the NSA would never employ mass surveillance techniques on US citizens, they said as much!
Here's a reference to the White House statement.
Sounds like: If you like your insurance plan, you can keep it. PERIOD!
I'm surprised that I haven't heard from any sites yet! At first I advised family members to wait until they received notification from an affected site that the problem had been fixed, then change their password (at that site and any others where they'd used the same password).
But now it's starting to look like even affected sites may not email customers to let them know! I haven't even seen notices about it on websites, except those that say they weren't affected.
In that case, how long should we wait before changing passwords? I'd like to give sites time to fix certificates, etc., but if they're never going to give notification….
I've heard from 1password and smalldog.com so far.
I got an email from The Motley Fool (fool.com) saying that they patched the vulnerability and advising me to change my password. They didn't say anything about their security certificates :-(
Since I haven't logged in there for a while, I'll wait ...
I'm guessing most sites won't say anything about the SSL certificates, since that won't mean much to most people. We can hope they've done it.
I've heard from four or five sites, but not as many as I suspect were affected. There's no real harm in changing your password at any time, as long as you're aware that you may need to do it again if you do hear from them (on the assumption that they were still vulnerable after your change). But it's essential that you don't reuse a password on another site, and if the site in question stores financial or other confidential data, I'd recommend asking their support before doing anything.
Is the password app mSecure vulnerable to this attack?
According to mSevenSoftware, no.
The github link is broken, as of 14th April 2014, 16:00 CET
Thanks - the user must have removed the page. We've taken it out of the article.
Just a note that I removed the warning about Dropbox and 1PasswordAnywhere now that Dropbox has patched its servers and issued new SSL certificates. There are no more worries about using 1PasswordAnywhere, whether or not you're syncing via Dropbox.
AgileBits has just released a new service to check for Heartbleed problems. See
Much of encryption, SSL/TLS etc. is over my head. This week I've used Qualys SSL site to look at some "medical passport" sites and commonly see a grade of F, largely because the site uses obsolete SSL2 without "forward secrecy." Can anyone comment or advise on how to interpret this, and how I respond. E.g., should I phone the billing office listed on a pathology consult bill and say I won't use their online site to pay because it doesn't attain some grade higher than "F?" Should I likewise report to my PCP that his chosen patient portal also rates an "F?" Am I blowing these risks out of proportion?
It's a safe bet that the billing office won't know anything about SSL encryption on the site. That said, telling the doctor who relies on it might be worthwhile.
It's probably most important right now that the site pass the Heartbleed test; SSL Labs tests so much else that it's hard for a user to evaluate what's important and what's not.