Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Heartbleed and You

April 09, 2014

Luzon Bleeding Heart Over the past few days, you likely have heard about a severe vulnerability in the way that almost all important internet sites secure their traffic. This bug was termed "Heartbleed", and has (quite aptly) been described as "devastating" and "catastrophic".

A lot has been published about this bug, and it can be difficult to understand just how this issue may affect non-technical users, which is why I tried to summarize this impact.

What is "Heartbleed" and why should I care?

A bug now known as "heartbleed" is a problem in the code that is used to secure traffic across the internet. The problem was made public only two days ago, but it has existed for over two years now.

The reason you should care about this is that this may affect an overwhelming majority of internet services. Basically, the information you submitted to any website that you need to log in on -- Twitter, Facebook, Gmail, your bank, your broker, Seamless, Yelp, ... anything -- may have been accessed by other parties.

See this page for a clear illustration of how the bug works. It is without a question that anybody reading this blog entry is directly affected by this bug.

So the internet is on fire. Now what?

There is very little you can do at the moment. Your best course of action at this point is to sit and wait. That is, unless you know whether or not a service is safe, you should try not to use it. (Good news: Twitter is in the clear, so tweet your heart out!)

The internet community at large is frantically working on fixing the root cause of the problem: we're patching systems and rolling out updates to the code in question as well as generating new SSL certificates for our services.

Until that is done on the site you're wishing to access, it is best to refrain from logging in there.

How do I know whether or not a service is safe?

Many of the popular services and sites have been patched already. If you haven't heard an explicit confirmation, however, just try and wait for a little bit. For example, you probably want to postpone your online banking activities for a few days.

If you must access a site, consider checking beforehand whether or not it is vulnerable to this issue. You can do so by entering the name (for example: "hsbc.com") at:

http://filippo.io/Heartbleed/

Ok, am I in the clear if that checks out?

Unfortunately even if the service you're accessing is marked as no longer vulnerable, you're still exposed to a significant risk. As noted above, the issue has been around for a long time. It is quite possible that an attacker had already exploited it before this week, and had gotten a hold of your password or other data.

We therefore strongly recommend that you change your password on any site that you have an account on after you have confirmed that it is no longer vulnerable.

Oh, come on! I'm not going to do that, and neither are you!

True. This is a major pain. But perhaps do consider this for at least those sites that are of particular importance to you: your banks, your brokerages, your health care providers and the like.

Remember to use a password manager for all of your passwords -- this makes it significantly easier!

Is there something else I can do to be safe?

For this particular case, it is a good idea to clear all cookies from your browser to prevent it from submitting them to a vulnerable server.

  • In Chrome:
    Preferences->Show Advanced Preferences->Privacy->Clear Browsing Data
  • In Firefox:
    Preferences->Privacy->Show Cookies->Remove All Cookies

You also should ensure that your browser checks whether or not a site's SSL certificate has been revoked or not:

  • In Chrome:
    Preferences->Show Advanced Preferences->HTTPS/SSL
    [x] Check for server certificate revocation
  • In Firefox:
    Preferences->Advanced->Certificates->Validation
    [x] Use the Online Certificate Status Protocol (OCSP) to confirm the current validity of certificates

I'd like to know more!

If you're interested in more general details, you can begin your free fall down the rabbit hole at these locations:

I'm still reading this - don't I deserve a reward?

You do indeed. Choose your own adventure:

April 09, 2014


Updated April 14th, 2014: clarify why deleting cookies is useful. Based on feedback by @j4cob, who created a similar blog entry before me.

Updated April 15th, 2014: add link to http://xkcd.com/1354/, suggested by @mrm.


[Privacy and Social Media] [Index] [Duct Tape and WD40]