Heartbleed is a term given to an OpenSSL exploit that allows hackers to intercept data that you send over channels that are supposed to be encrypted. Anything you send while browsing an encrypted site with this flaw could be collected by malicious hackers.
Before you panic, not all sites are affected by Heartbleed -- only those that use OpenSSL are vulnerable. As pointed out by a former TUAWer Damien Barrett, sites that run OS X server have a more recent version of SSL/TLS encryption and are not affected by this flaw.
Though Heartbleed is a gaping security hole in SSL that's been open for several years, it is unlikely that you have been targeted by hackers. Nonetheless, you need to be aware of the flaw so you can protect your data going forward.
Websites have been aware of the issue for several days now and are in the process of updating their security certificates so they are no longer affected by this flaw. Here are some suggestions to help you keep your data safe as the Internet deals with this Heartbleed vulnerability.
Be Careful Where You Login
Avoid logging into websites that contain sensitive information for a few days or at least until the website has been updated with a new security certificate. Services worth their salt will have an alert telling you that their servers are now secure. You can use this online tool to see if a service is still vulnerable: http http://ift.tt/1in9VWh. Mashable also has a list of major sites and their Heartbleed status.
Change Your Passwords
As a precaution, you should change the passwords that you use to login into secure websites that were affected by this bug. It's a daunting task, but one you shouldn't take right away. Wait for websites to update their security certificates first and then choose a strong and unique password for all your important sites. You also may consider changing all of your passwords just to be safe -- you should be changing them routinely anyways, so now is as good of a time as any.
Use a Password Manager
Use a password manager if you don't already have one. If you have to change passwords, you might as well take the extra time to setup a password manager and store all your logins in a single, secure location. Many Apple owners use 1Password (review), while I personally use LastPass, which has the added benefit of scanning your stored services for the Heartbleed vulnerability. If a site is vulnerable, the tool will let you know whether you should update your passwords for those accounts at this time.
LastPass users with the browser extension installed can click the LastPass icon in the browser toolbar, click the "Tools" menu, and select "Security Check". Users also can login to their vault in their web browser and click "Security Check" in the left-hand column.
If you want to know more about Heartbleed itself, TechCrunch posted this great technical video and here's a little background on why there is a logo and website to spread info about this security issue.
No comments:
Post a Comment