The recently discovered Heartbleed bug exposed a gaping hole in the security software that’s supposed to keep your information private while shopping, managing your finances or sending and reading email. While there still aren’t any signs that the bug has actually led to eavesdropping or theft—financial, identity or otherwise—it’s probably only a matter of time.
The good news is that there are ways you can protect your information from thieves and snoops. The bad news is that they’re simple but not necessarily easy.
Why Heartbleed Is A Big Deal
First, some quick background. The Heartbleed bug allows potential attackers to sidestep the cryptographic security that normally protects Web communications on sites that use an open-source version called OpenSSL. In essence, the bug allowed attackers to grab random bits of information from Web servers—information that could include usernames and passwords, the cryptographic “keys” that shield traffic from prying eyes, or even the coded “certificates” that websites use to verify that they are who they say they are.
In the worst case, exposure of that information could allow attackers to read all traffic to and from a given site, or even to impersonate the site itself—which could be, let’s just say, bad if the site in question happens to be a malign copy of your bank. (For a deeper technical breakdown of Heartbleed, check out ReadWrite’s FAQ here.)
Heartbleed went undetected for the past two years, and no one knows who might have known about it during that time or what they might have been doing. Now that it’s out in the open, up to a half million widely trusted websites—including many that people use every day, such as the popular and much-maligned Yahoo Mail—have been scrambling to patch the flaw and update their security protocols to protect users.
See also: Understanding Encryption: Here’s The Key
But that’s just a first step. Because it’s impossible to tell if anyone has exploited the bug, you won’t know if you’ve been victimized until it’s too late. Worse, if an attacker has recorded any of your encrypted Web traffic over the past few years, they might now be able to retroactively decrypt that information. Because of Heartbleed’s staggering unknowns and its possible future consequences, security expert and veteran cryptographer Bruce Schneier calls the bug “catastrophic,” adding that “on the scale of 1 to 10, this is an 11.”
It’s also not simple for companies to fix. Any affected site will have to patch the OpenSSL bug, then revoke their existing digital certificates and re-issue them. Then its managers get to start combing though their systems for other traces that could indicate whether anything was compromised.
What You Need To Do
Here’s your basic checklist as a user:
- Check to see whether sites you use regularly were vulnerable to Heartbleed in the first place
- Change your passwords on those sites immediately
- Monitor those sites to determine if they’ve patched the bug and reissued their digital certificates
- When one does, change your password again
Remember how I said protecting yourself is simple but not easy? That’s what I was getting at. Now let’s go through all that in detail.
Check Sites For Vulnerability
Not sure if your data is safe with your favorite site? Treat it to the Heartbleed test, a tool devised by an Italian programmer named Filippo Valsorda that determines whether or not a site was affected by Heartbleed. If it was, it’s probably best to go ahead and change your password even if the site hasn’t fixed things up yet. It won’t fully protect you because your new password will still be vulnerable to theft, but it might slow down a hypothetical data scammer.
Another, more hardcore SSL server test on Qualys provides an in-depth analysis of security encryption configuration and grades websites on their security strengths. It might give you a little more peace of mind than Valsorda’s quick-and-dirty test. The test takes about a minute and tests various security protocols including certificate and cipher strength, key exchange, and protocol support.
CNET has posted a list of the Heartbleed status of the Web’s top 100 sites. The password manager LastPass also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users.
If you use the Google Chrome web browser, you can install the Chromebleed Chrome extension. Once installed, you’ll receive a warning any time you visit a site that was affected by Heartbleed.
Change Your Passwords
Pro tip: Change your passwords immediately, but then change them again when an affected site has been determined to be safe from Heartbleed. You’ll know you’re safe by doing a manual check using the tools above, or when you receive an email from the company that has been affected. I would suggest doing your own check, however.
Late Wednesday I received an email from IFTTT—the productivity tool that simplifies sharing and automation across the Web—letting me know the bug was fixed and that I should change my password not just on the site, but anywhere else I store secure information. It’s very likely most companies that have been compromised will send similar emails.
You won’t really be done until every site you use regularly has patched OpenSSL and reissued its digital certificates. It’s going to be a pain to stay on top of all that, no question. If you want to live dangerously, you could just wait a few days and then change your passwords—but there’s no guarantee that someone won’t be sniffing out your data in the meantime.
Do Your Own Security Check Up
Now is a great time to do a little security spring cleaning. Unfortunately it took a critical bug to remind us all our data is never as secure as we think it is. If nothing else, Heartbleed should prompt us to rethink our security measures.
So take a minute to make sure your username and password are strong, and that you don’t notice any malicious activity in your accounts.
Password managers like LastPass can help users maintain tough security measures. The password manager lets you generate and save passwords for all your favorite sites, and requires only one login to access them all. (The LastPass site itself was affected by Heartbleed, but the service says no user data was at risk because it doesn’t hold the keys to the encrypted information it stores.)
Once all websites impacted by Heartbleed are patched, regularly access those affected accounts and make sure all the only updates, conversations or purchases registered on the site were indeed made by you. This is a good habit to get into, even on sites that are, in theory, secure.
Updated: This story was updated to include a reference to the Chromebleed extension.
Lead image courtesy of Sarah on Flickr. Heartbleed logo courtesy of Heartbleed.com