Internet security: Heartbleed

The web has been roiled by the “Heartbleed” bug. This problem – it’s not a virus or malware, but something not working right in software (hence a “bug”) – is causing problems for all kinds of websites …and the people who use it.

What is Heartbleed?

Heartbleed is a defect in OpenSSL, one of the software systems which handle secure connections (SSL=”Secure Socket Layer”) between a web browser and a web server. This software means that when you go to a website that needs private or secure information (a password, your bank account or credit card number, etc.), the communication between your computer and the website is secure so that nobody can intercept that private information. (You can tell a site is secure by the https:// prefix to the site’s address (URL) – if you’re loading a webpage with http:// then the connection is not secure.)

The defect in the software allows information to bleed out to anyone or any computer which communicates with that server. The information might include private or sensitive information such as passwords or account numbers. It might not. The problem is, there’s no way of knowing if any private information has leaked out.

If you want to understand exactly how the Heartbleed bug works, check out this XKCD cartoon. It’s a simple but effective demonstration of what happens. Notice that the data being processed by the server is constantly changing, so whenever the request for information from the server happens, the data that’s retrieved changes. Does it include your password? Maybe…

Do I have to worry about it?

The simple answer is yes. OpenSSL is widely used throughout the internet. Most notably, it is used by Google, Facebook, and Yahoo! – and all of these sites were vulnerable. (This article from BBC News includes a list of some of the most popular sites were vulnerable. Many other sites were also affected… this list is not exhaustive!)

It is not sufficient to simply hope things will blow over. This defect in the OpenSSL software affected the infrastructure of the internet – it affected many systems throughout the web …including sites and services that you may use without being aware of it. You might not have a problem resulting from it, but then again you might. If someone has been able to steal your password, you could wind up being the victim of identity theft or other financial scams. (Read this account by someone whose GMail password was stolen – not related to Heartbleed – and what happened. Friends were conned, mail was lost, and it was a horrible nightmare.)

What can I do to keep my information secure?

The main thing to do is to change your passwords. The important thing is to change your passwords after the OpenSSL software has been updated and new security certificates have been issued. If you do it before this, any criminal exploiting the Heartbleed bug might get your new password.

Ideally, services you use should alert you to the fact that they have patched their systems. (And a proper fix means updating the software and issuing new security certificates, not just updating the software.) Here’s a message I received from Moodle saying their system has been patched (and they did issue new certificates):

If you don’t get a message from a site, you can check it using a service like this one. Enter the URL (address) for the site and it will check if the system is using the version of OpenSSL that is affected by the Heartbleed bug.

Once you know a system is protected, you should change your password. Any passwords you use should meet these criteria:

• Your password should be strong. You shouldn’t use an easily recognizable word or sequence of numbers. (“password” and “12345” are two of the most commonly used passwords …they are highly unsecure!!)
  • Ideally, a password should be a random collection of letters, numbers and other characters …such as: kjP87mi%lkj. Unfortunately, such a thing is hard to remember.
  • There are various ways to create memorable hard passwords – here’s one:
    • Make a phrase you can remember, such as “My favorite food is pizza.”
    • Change the case of some of the words, and add in some numbers (you can substitute some numbers for letters) and other characters. If you have a password such as “my FAVORITE!! f00d 15 Pizza?” it will be hard to break.
    • Alternatively, use the first letter of each word (including some numbers and other characters, too) – so you might get a password like “mFf1p”
    • If you can make your phrase more nonsensical or in a different language than English, it will be harder to break. (So, “elephant 74 PURPLE Michael stop!sign” or “BETAM**amesegenalaho!!” would be strong.)
• Your password should be unique.
  • Don’t use the same password for other sites.
  • You can use variations of your password (“my FAVORITE!! f00d 15 Spaghetti?”) for other sites, but if you repeat a password it really weakens it.
• Ideally, you should change your password every so often. (It may be a good idea to change your password to sites that had been vulnerable and then patched – such as Google, Yahoo, Facebook – again in a few weeks, after they’ve issued new security certificates.)

There are services that can manage passwords for you if you find this confusing. Some recommended ones include LastPass and the open source KeePass.

Where can I get more information?

Here are some articles I found helpful in understanding this problem and identifying how to deal with it:

• An article by James Fallows about the bug and changing your passwords.
• A very good overview by The Guardian newspaper.
• A list by CNet (a tech news service) that shows some of the major web services and their status.
• A guide to strong passwords by an initiative from the Australian government.