Is the Heartbleed bug a danger to me?
Yes…and it does not matter what type of computer or device you use. With Heartbleed, even Linux users are vulnerable.
Are all websites affected?
No. It is only those websites using a program called OpenSSL. However, that covers over 500,000 “certified” websites which, in turn, account for 66% of all sites that use this type of security for its users — the types of websites where you would most want to keep your login information out of the hands of criminals.
What could happen if I log in to a website that has not been fixed to prevent Heartbleed?
A hacker could steal any number of your passwords allowing him/her access to your online accounts including your bank, credit cards, mortgage, e-mail, social networking…anything you do online that requires a password.
Are websites fixing the problem?
Yes and no. Most major websites are quickly fixing the program that allowed Heartbleed. However, not as many are being so quick to fix the “key” that allows what is supposed to be secure access (you know, when the little lock shows up on your browser). If a hacker has already stolen the “key” and it has not been changed, even if the website is patched, the hacker can still break into your connection and steal your information (this is often referred to as a “man-in-the-middle attack“).
How do I know if a website has been fixed?
There is at least one tool that tells you if the website is either not using OpenSSL or has been updated to a version that is not vulnerable to Hertbleed (more on that below) and more are being built. However, no such tool can tell you if the “key” I mentioned above has been changed.
What is my level of risk?
Very high on websites that require a login. Even low-level hackers can take advantage of the Heartbleed bug. Now that Heartbleed has been made public, hackers all over the world are looking for any server running OpenSSL that has not been patched. If any hackers knew about Heartbleed before it became big news, they could still be using the “keys” they stole on any site where they have not been changed.
So…what do I do?
Because most companies are hesitant to put such announcements on their home pages, this is where things get time-consuming. However, it is better to do these things than the time and money it will cost if your bank account is emptied or you become the victim of identity theft (which will ruin your credit rating, keep you out of many job opportunities, and cause you years of woe trying to get your life back to normal again).
- Check any website requiring a login with this tool: LastPass Heartbleed checker. In most cases, this tool can tell you whether or not a site uses OpenSSL and, if so, whether or not it has been fixed to prevent further access to the “key.” (NOTE: Changed this link to the LastPass tool as it works better than the previous link and can also make a good guess if the site’s encryption key has been changed)
- Assuming your e-mail provider has fixed their own website (most of the major ones have), write to whatever site you need to access (or, call to be even safer) and ask if they have changed their encryption key to prevent any theft that occurred under the Heartbleed bug.
- If the website you contact says they have also changed their encryption key, go into your account profile and change your password. Once you have done this, you are safe on that website. (Side note: As you should do with any password, make it as long and bizarre as possible and use a good, free password manager so you do not have to remember it. A good password should look like a cat did a little dance on your keyboard).
- If the website you contact says they have not changed their encryption key yet but are working on it, change your password there anyway but wait to use the site again. When you are notified that they have changed their encryption key, go back and change your password one more time. Once you have done this, you are safe on that website.
- If the website requiring a password you contact says they have not changed (or fixed) anything and give you no assurance these issues will addressed in the near future, change your password but stop using that site until you know it is fully repaired. If this is a site for a bank, utility, or something similar, call them and request to be sent paper statements via U.S. Mail if you are not receiving them already and then pay such accounts the same way or over the telephone. Yes, the Heartbleed bug is that serious!
How does Heartbleed work?
Everything you do on your computer or mobile device is dumped into its memory (also referred to as RAM, short for “random-access memory”). The same goes for a website as it runs on computer, too. Heartbleed allows a hacker to use a compromised website to access a small portion of the information stored in the memory. The longer you stay in a compromised website, the more portions of memory Heartbleed can get. If Heartbleed gets the correct block of memory, it could contain (for just one example) the web address of your bank, your log-in name, and your password even if it was hours ago when you visited its website.
Will this ever be fixed so I don’t have to worry and spend time going through all those steps you listed?
My semi-educated guess is there probably will be but not in the near future. The main problem in fixing it is that each website has to apply the fix manually — it is not like taking an automatic update from Windows. Not everybody owning a website is going to do this and it will take a long time to develop something on the users’ side that will block the information that can currently be stolen via Heartbleed.
Is KoHoSo.us fixed and fully safe?
Yes. Even though KoHoSo.us has no feature requiring people to log in, I still made sure it was patched by my web host. The two features here that require a login for those that choose to use them, Gravatar for comment icons and WordPress.com for following comments or this blog as a whole, are also verified to be safe.
Is there more to Heartbleed than this?
Yes. However, if you are not a very tech-savvy person, this is all you need to know for now. For the curious, I will add this to show how bad Heartbleed is. This bug was accidentally created back on December 31, 2011. It is theoretically possible that a hacker could find a website that is not fixed and pull all of the sensitive information on it created over the past two years.
One last thing I saw yesterday afternoon tweeted by the Electronic Frontier Foundation…leave it to criminals to try and create a scam off of another scam…
Please be careful about phishing emails masquerading as Heartbleed password change notices. If unsure, type the [web address] for the site by hand.
Special thanks to Parker Higgins for his tweets both in general and directly to me on this subject. They were very helpful in making sure I provided proper advice…although, I should also say, if I got something wrong here, please don’t blame Mr. Higgins.