Heartbleed

What is Heartbleed?

So by now you may have heard of the Heartbleed bug- but what exactly is it? The problem affects a piece of software called OpenSSL, used for security on popular web servers. With OpenSSL, websites can provide encrypted information to visitors, so the data transferred (including usernames, passwords and cookies) cannot be seen by others while it goes from your computer to the website.

OpenSSL is an open-source project, meaning it was developed by really talented volunteers who wanted to help the internet community. It happens that version 1.0.1 of OpenSSL, released on April 19th 2012, has a little bug (a mistake introduced by a programmer) that allows for a person (including a malicious hacker) to retrieve information on the memory of the web server without leaving a trace.

What information are they stealing?

Heartbleed exploits a built-in feature of OpenSSL called heartbeat. When your computer accesses a website, the website will respond back to let your computer know that it is active and listening for your requests: This is the heartbeat. This call and response is done by exchanging data. Normally when your computer makes a request, the heartbeat will only send back the amount of data your computer sent. However, this is not the case for servers currently affected by the bug. The hacker is able to make a request to the server and request data from the server’s memory beyond the total data of the initial request, up to 65,536 bytes.

What should I do?

The important question is: Should you worry about this problem? The short answer is: “Yes, but don’t panic”. You should definitely change your passwords at least for the services confirmed as vulnerable and that have now been fixed, such as Google and Yahoo. But you should be changing your passwords regularly no matter what. If you have trouble remembering your passwords, you can always use a password manager such as LastPass or 1Password (remember: Don’t ever write down your passwords on a Sticky note next to your monitor, a notepad or a document inside the computer).

You can also:

  1. Install/Update Internet Security Software – Most reputable Internet Security Suites have the options for browser add-ons that can detect sites that are affected and advise you before you establish a connection.
  2. Trend Micro Heartbleed Detector – Input a website URL and it will advise if the site is vulnerable or protected.

A simple explanation of Heartbleed:

Heartbleed explained