Right now, you can’t browse too far on the internet without seeing something about Heartbleed, but what is Heartbleed – other than frenzied media headlines about two-thirds of the Internet being dangerous?
Let me put you partially at ease: Heartbleed is a recently discovered exploit in the open source cryptography library called OpenSSL, which is used to encrypt secure data on about 66% of the Internet. And yes, it is just as serious as everyone is saying. The exploit uses a programming error in the library’s heartbeat extension to force a remote server to spit back a random 64kb of data back to the attacker.
So why is this a big deal? Well, for hackers, this is like pulling a random puzzle piece out of a box. Realistically, there’s only a very small chance that you’d grab a piece with something useful on it, but if you do it over and over again, you’re bound to get something you want eventually.
And unfortunately, the exploit only affects sites with data that needs to be secured.
Should I Freak Out? I Feel Like I Should Freak Out
The one caveat of Heartbleed is that it only returns what is in memory, which is what the server is processing at that exact moment. This is useful because it means that if you’re not actually using a site when a hacker is doing this; your data is still secure. A hacker would need to be exploiting this bug while you were logging in or entering your credit card information.
In fact, only 45 of the top 1000 trafficked websites are still vulnerable to the exploit – but that list includes sites like Yahoo.com and Imgur.com, so you should be careful on any website. However, many popular sites have installed patches to fix the exploit, so you can feel free visiting and resetting your passwords.
So no, you don’t need to freak out or tell your grandparents to unplug anything with circuitry. However, for the next few weeks, you should be careful what you are sending out on the Internet. Maybe don’t check your online banking every hour to see if that last charge has gone through yet. And you probably you don’t need to order that kitty potty training kit this month. Simple things like these can minimize your chances of being affected by this exploit.
What About my 352-Hosted Website?
The good news is, if you’re hosting with 352, you’re already safe, and you have been all along. At 352, we use SChannel for our SSL and TLS cryptography instead of OpenSSL, so this exploit will not affect clients hosting with us at all. If you’re not hosting with 352, you will need to check with your current host to see if their environment is affected by this bug.
As this bug becomes more and more popular, more and more tools are being created to identify sites that are vulnerable to this. If you’re unsure of a site’s security, or you didn’t see your site on the list above, you can use this Heartbleed vulnerability scan.
In the meantime, make sure you carefully share personal information – and try not to change any passwords until you are sure a site is secure or get an all-clear message from an important site like your bank or investment account. If you change a password while a hacker has an active connection to a site, you may just be giving them your new password and then feeling secure for the future.