Heartbleed – What should I do as a web user?

First off: Don’t Panic!

I’ve had a lot of concerned friends as me about this since they know I work in a computer related field.

While there are many areas on the web that are affected by the heartbleed bug, it’s not something that should have a large impact on the general user. Yes, you should change your passwords on all affected sites, just make sure the sites are fixed before you do.

What you should know:

Heartbleed is not a virus or anything that can infect your personal computer or device. It is a vulnerability that affects servers that use specific versions of OpenSSL to secure web traffic and can *potentially* allow an attacker to gain access to information on an unpatched web service. This does not mean your passwords were compromised, it just means that there is a possibility it could happen if you use one of the affected web sites and the admins don’t fix their systems.

The good news:

This bug was made very public and most major sites are working towards patching their servers (if they haven’t already). Give them time, don’t go and change all your passwords immediately. If you do before your web site admins are finished updating their servers and SSL certificates, you will have changed your password for no reason and will need to do it again once they have completed this work.

My suggestion:
Check with each web service that you use and make sure they have not only patch their affected systems, but also that they have updated their SSL certificates. Most browsers will show the issue date when you look at more details of a certificate when browsing to SSL protected sites. If they were affected, make sure they have updated their SSL certificates before you change your passwords for that site. Don’t use the same password for more than a single web service. It is convenient to do so, but if one password gets out, you have potentially given an attacker access to more that a since service with your password.

General Best Practices for Password Management:

  • Use a long password. “Thisisaveryverylongpassword” is actually a stronger password than something like “a8RkYyuS23F!”. The reason is that brute force attacks usually attack based on # of characters in the password. So even though it’s a much easier password to remember, it’s more secure, just because it’s longer! This image explains it.
  • Use a different password for each website. This is important.
  • If you use password management software, use a unique strong password. Don’t use the same password to unlock your keyring/passwords as you use on any website.

For my admin friends:
There is a wealth of knowledge available and a few test sites that you can use to check your own servers for the vulnerability. https://filippo.io/Heartbleed/ is a good one for testing. There is also good details in their FAQ section all about the bug. The main thing to note is that it’s a bug with certain versions of OpenSSL only.

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

What does this mean? It means if you’re running one of those versions that is affected, go update it, then update your SSL certificates for any affected service. This may also include re-compiling any software that may have been linked on the affected libraries.

About Paul Reed