There has been a lot of urgent information circulating about the Heartbleed security bug (which some are mistakenly calling the “Heartbeat bug”) this week. But then you hear that the Heartbleed bug has been around for two years, and suddenly find yourself wondering why all the hype? Here are the three things that you need to know about the Heartbleed bug, and what you need to do about it.
1. The Heartbleed bug needs to be taken seriously even though it has been around for two years
Without getting too technical, and simply put, the Heartbleed bug is a vulnerability in the OpenSSL library. SSL stands for ‘Secure Sockets Layer’, and it provides a cryptographic ‘layer’ to provide security to Internet communications. The Heartbleed security bug makes servers that are running affected versions of OpenSSL vulnerable to leaking things from the server memory, including things like passwords.
OpenSSL is widely deployed, which means that the Heartbleed bug vulnerability has existed on many, many sites around the world, including many large and well-known sites and services.
There are two primary reasons why you should worry about this now even though the Heartbleed vulnerability has been around for two years.
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are VERY appreciated! Receipts will come from ISIPP.
A. If at any time in the past two years your data was leaked or breached, that means that any passwords that you have had set up on any site that is or was vulnerable need to be changed now. This is because your credentials, including your usernames and passwords, could at this very moment be being traded or sold.
You will also want to check (see below) to determine whether any of those services and sites are still vulnerable, because if so then changing your password now will do little good until they patch the hole. Be sure to contact any site that you use that is currently vulnerable to the Heartbleed bug.
B. With the sudden massive news exposure the Heartbleed bug is getting, hackers are now doing a lot more probing and testing of sites to see if they are vulnerable. So a site that may have been vulnerable, but unexploited, for the past two years, may now be discovered as the hackers have come out of the woodwork to look for and exploit this bug.
2. You need to change your passwords if you have any doubt – especially at sites that have your financial or other personal or private information
All sorts of service sites, including Amazon and Netflix, were vulnerable, and only got patched (fixed) this week.
ISPs and email providers, such as Google and Yahoo, were also vulnerable.
Moreover, the Heartbleed bug was found in widely-used networking hardware such as [Page no longer available – we have linked to the archive.org version instead], which means that any number of servers in companies of any size are vulnerable.
So how can you possibly know where you need to change your passwords? This brings us to point number three.
3. Many sites are still vulnerable – you need to check for yourself whether the sites and services you use are vulnerable
There are now several places where you can test to determine whether a site is vulnerable to the Heartbleed bug.
The one that we like best is the one that The Atlantic has called “industrial strength”. The main reasons that we like it best that a) so far it has not thrown any errors, and b) it is the most comprehensive. That is the Heartbleed test at SSL Labs.
Two other places that are offering tests to see if a given site is vulnerable to the Heartbleed bug are the Heartbleed test at Filippo.io, and the Heartbleed test as LastPass.
If you find a site that is still vulnerable, please let us know in a comment.
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are appreciated!
Receipts will come from ISIPP.
When I heard about this thing, I knew there was one source of accurate, succinct, and actionable information: The Internet Patrol. Thanks for the test link, and the (predictable) BoA scorecard. News you can use. Kudos, Anne.
The Bank of America website, all 3 servers, received a failing grade on the SSL security test:
Server Domain(s) Test time Grade
1 171.161.199.100
Ready
bofa.com
Mon Apr 14 11:25:02 UTC 2014
Duration: 32.588 sec
F
2 171.161.203.100
Ready
bofa.com
Mon Apr 14 11:25:34 UTC 2014
Duration: 32.429 sec
F
3 171.161.202.100
Ready
bofa.com
www.bofa.com
Mon Apr 14 11:26:07 UTC 2014
Duration: 32.530 sec
F