Insights For Success

Strategy, Innovation, Leadership and Security

What should users do about heartbleed

technologyEdward Kiledjian
Image by Travelhack under creative commons license

Image by Travelhack under creative commons license

Since this is a user oriented article I won't get into the technical details about what the heartbleed bug is but in simple terms it is a vulnerability in a very commonly used security protocol that could allow an attacker to "steal" 64 KB of server data (from memory) at a time.

Current estimates peg the impact of this bug at about 500,000 sites or ~20 of secured SSL sites on the internet. This bug has gone undetected by mainstream researchers for 2 years and could allow a technically savvy attacker to continually exploit a server in the hope of finding passwords, credit card or other valuable user information.

At this point I am not aware of this bug being exploited in the wild.

I'm a user and I'm panicking

First thing you need to do is calm down. It is a major vulnerability but the fix can only be applied by the operators of the affected sites (Google, Yahoo, etc). 

There is nothing for the user to fix or change on their on PCs. Users have to wait until websites update the software on the servers to a non-vulnerable version

Know that once the issue is fixed on a server, the server operator will invalidate the old (potentially) compromised security certificate and add it to a revocation list. The first thing you should do is

ensure your browser checks all SSL certificates against that revocation list. In chrome do this:

- Open a new tab

- In the URL address bar, type  chrome://settings/

- Click on show advanced settings

- Scroll down until you see the SSL/TLS section 

- Make sure this checkbox is ticked

Once a website upgrades the software, you should change your password on that site. Changing it before the bug is fixed is useless since it could potential be exploited and stollen again. Some sites (like Facebook and Yahoo) have admitted to using the vulnerable product and have confirmed their software is now upgraded. This means you can go ahead and change your password for those sites.

Other sites (like banking) will likely never admit to having the vulnerability (and not all versions are vulnerable) so you'll have to use the heartbleed site checker tool on sites like Lastpass (link).

What if the site doesn't notify you? Maybe change your password now anyway and change it again once a week for the next 2-3 weeks. Sometimes they won't admit to being vulnerable to hearbleed but may say "your account has been locked for security reasons please change your password."

You should be using a password manager so that you can protect each website with a long unique password. I use WolframAlpha to generate strong long unique passwords for each site (wrote an article about it LINK) and store them in Lastpass (since remembering them is impossible.)