Yep, the title is deliberate. By now, news of the Internet Heartbleed bug is spreading all over the globe, and for good reason. In this inaugural edition of MeemTips, I’ll succinctly explain what it is, how it may affect you, and what to do about it.
Here’s an infographic that helps tie together the main concepts:
What is SSL?
The SSL/TLS protocol aims to ensure secure communications between computers and servers on the Internet. When you access websites that use SSL (like Gmail, for example), the URL changes from “http” to “https“, indicating that it is a secure connection with reduced risk of anyone intercepting your communications with that website.
OpenSSL is an open-source implementation of the SSL/TLS protocol and is used on two-thirds of Internet servers, so its use is widespread. An update was made to OpenSSL in February 2014 to enable a secure connection between two systems to stay open (or “kept alive”) even when no data was being sent during that time. As you might guess, the improvement was called the “heartbeat”.
Fast-forward to March 2014 when it was discovered that the password (or more accurately, the encryption key) that secures the connection was stored in a server’s memory and not changed by the system frequently enough. This allows an attacker to tap into the connection, retrieve the encryption key, and use it to obtain any data contained within the server’s memory. (As a simple analogy, think of it as an attacker who hacks into an ATM to retrieve the last user’s banking password. Imagine the scale of the crime…)
The data sitting in the server’s memory could potentially include usernames, passwords, email addresses, bank details, and so on. Because the encryption key was not changed frequently enough, the attacker could repeat the same attack and obtain more information each time.
How the Heartbleed bug may affect you
It is possible that websites you frequently log into could be running on servers that are affected by the bug. This means your username, password, and other sensitive data could have been exposed to an attacker. Remember the “heartbeat” update mentioned above? If a server was updated to include the Heartbeat feature, then that server is vulnerable to the Heartbleed bug.
What you can do about it
To determine which sites have been affected, see this page on the LastPass website.
An extract from LastPass.com’s alert system showing popular websites affected by Heartbleed.
The critical thing for you to understand is that you must change your password IF AND ONLY IF the affected site has resolved the issue on their end. The reason for this is if you change your password while the site is still vulnerable, your new credentials can be still retrieved by a hacker, rendering your password change ineffective.
Concluding remarks: Protect that heart, yo. Even in Cyberspace.
We need to remain conscious of safety on the Internet. The cyber world often creates a false sense of security while we sit behind a computer screen, deluding us into thinking we’re invincible. The reality is far from this, and it is highly likely that the information flowing through the Internet about you is a lot more detailed than you’d otherwise be comfortable with. Your best defense is to adopt best practice, which is to regularly change your passwords and use different passwords across various sites. Of course, a heightened sense of vigilance will go a long way in ensuring your interactions over the Internet are at a personally acceptable level of risk.
Happy to field questions in the comments.
Wassalaam (with peace),
1. CNET: Heartbleed bug: What you need to know (FAQ)
2. SANS Institute: Transport Layer Security
3. Codenomicon: The Heartbleed Bug
4. 404TechSupport: Infographic Explains the Heartbleed Bug