If you have an account on Yahoo mail, Gmail, Instagram, Netflix, or a variety of other websites, you may have been affected by the HeartBleed SSL security bug. HeartBleed just became public this past week, and is rapidly being addressed, but it represents an SSL security vunerability that may have existed and been exploited by hackers for up to the last two years. I just read two great news articles on Heartbleed, which I’ve summarized and added to here, and link to at the bottom of this post.
First, what is SSL? Is it like LOL?
SSL stands for Secure Sockets Layer, but most internet users probably recognize it as the padlock in our browser address bar and/or a website url beginning with “https” instead of “http”. SSL encrypts the data we send to and from a website, so hackers can’t read it. Heartbleed is a bug in the SSL process that was uncovered by a security expert at Google last week. It affects OpenSSL, a popular program used to run SSL security on many websites. Heartbleed ONLY affects the OpenSSL program, so websites that use a different SSL program are not affected. More importantly, the way HeartBleed works is that a flaw in the OpenSSL program allows a hacker to read the secure data transmission while it is stored in temporary memory, and only while it is temporary memory. Hackers can’t steal all of the website’s data… they can only retrieve any data transmissions while they are stored in temporary memory. Thus, if you were using a website in secure SSL mode while a hacker was eavesdropping, he could have stolen your information. But it is important to remember that is only the data as it is temporarily stored in temporary memory, and it is not the website’s entire database. Further, although security experts believe this vunerability may have existed for up to the past two years, it is unclear if it was exploited by hackers and/or to what degree.
What websites were effected?
According to Mashable, the list of websites using OpenSSL is significant, and includes Instagram, Pinterest, Tumblr, Google, Yahoo, Gmail, Yahoo Mail, GoDaddy, Flickr, Netflix, YouTube, and Dropbox. The good news is that Mashable lists many banks, and none of the banks were affected by Heartbleed. Further, all of the popular websites listed above have patched their SSL security now, but there are a LOT of websites using OpenSSL.
What should you do?
You should understand how Heartbleed works, what websites were affected, and how it might affect you. More than likely, affected websites will be emailing their customers with further instructions. It’s important to make sure any website (if they use OpenSSL) you use in secure SSL mode has patched or fixed their server before you continue to use their service, and you should ask them if you need to change your password.
What about us webmasters with secure online stores?
I first heard about Heartbleed this past week because we have an online store that uses SSL. Our SSL provider notified us that we may be at risk, but explained that the issue was not with their SSL certificate, but was with our webhost, and depended on whether or not our webhost used OpenSSL. Our SSL provider provided the following link to check if our website was vunerable. In our case, our store was not affected. But if you have a website that uses SSL, if you haven’t already checked, you should use this link to see if your website is affected, and if your webhost is using OpenSSL, you need to make sure they have patched or fixed it, or do so immediately:
Similarly, if you do any online ordering or other web activity that requires SSL security, before you do it, check the website you are using at the above link first to see if they have been compromised by the Heartbleed bug.
For more information, I highly recommend reading these two articles: