Heartbleed: The Bug That Threatens Millions Of Websites

HTTPS in address bar

When you are entering sensitive information into a website, like credit card numbers, social security numbers or even just log-in information, you expect that the site will protect this data. Most sites use ‘HTTPS’, which stands for Hypertext Transfer Protocol Secure, to offer protection to users. Unfortunately, that means if a vulnerability is found in HTTPS, there are millions of websites that are suddenly putting valuable information at risk. As Doug Aamoth reports for Time, the Heartbleed bug is that worst case scenario realized.

Heartbleed exploits a flaw in OpenSSL, which is a common method used to encrypt data and implement HTTPS on a site. This bug allows attackers to steal data and listen in on communications between the user and the website. This isn’t a new development either. Researchers believe the flaw in OpenSSL has existed for at least two years.

The good news is that Heartbleed wasn’t discovered through an attack in the wild. Instead, it’s a proof of concept. This means that instead of attackers actually successfully exploiting the Heartbleed bug and victimizing actual users, the bug was discovered by researchers, who alerted the public. This doesn’t make your data any safer, but it means a permanent solution could be found before any large scale damage occurs.

If left unchecked, there’s certainly the possibility for large scale damage. As many as two-thirds of web servers could be affected by Heartbleed. There are potentially millions of other devices, such as Android smartphones and tablets, that could also be exploited by the Heartbleed bug.

The knee-jerk reaction to a bug capable of stealing log-in credentials would be to quickly change every password on every online account. But, it’s not that simple. If a website is still vulnerable to the bug, changing your password might just be giving the new information to eavesdropping criminals.

For users, the best option is to closely monitor accounts for suspect activity and wait for websites to update their infrastructure.

There are a couple of options you can use to check if a site has protected itself or not. First, this site allows you to enter the URL of a site you use and see if it’s vulnerable to Heartbleed. If it is, you should avoid it and don’t log-in until the problem is fixed. If you’re a LastPass user, you can also use the password management tool to check on which of your saved passwords could have been compromised.

Once important sites like your bank’s website, credit card sites, any site where you pay bills and social media and email are given the all clear, be sure to change your passwords. Just because the site is now safe doesn’t mean that your password couldn’t have been stolen at some point to be used later.

At Geek Rescue, we know security. Whether you need enhanced security for your website, office, or home network, call us at 918-369-4335.

April 10th, 2014