What does “Heartbleed” mean to the rest of us?

By now we’ve all read about the Internet bug called “Heartbleed“.  But what does this mealy mean to the rest of us?  In a nheartbleedutshell it means that there is a real good chance that someone has your username and password that you don’t want to have it.

Is my computer infected?

No, your home computer isn’t going to be infected with anything.  Heartbleed exists because of a bug in the software which handles the data encryption on some web servers.

Are all websites infected?

No.  Not every website is infected.  There is no easy way for us the end users to know which websites are still suffering from the problem and which ones aren’t.

How can I protect myself?

The only way to protect yourself is to not use websites which are suffering from the Heartbleed problem.  If you are using websites which haven’t had the needed patches installed on them, then any information which you send to those websites could be read by an attacker.

Is there a list of websites which are safe to use?

Sadly no, there is no list of websites.  All you can do is check with the company which runs the website or wait for them to tell you that their webservers have been patched.

Is this something that I need to worry about?

Sadly the answer here is yes.  If you shop online, or use the same username or password or different websites then you might be at risk.  There’s no way to know if your information has been leaked or not, so it’s best to change your passwords for all the websites that you use.

How would I know if a website is safe to use?

There’s no easy way, or any way to really know for sure.  The best bet for an end user is to look at the SSL certificate for the website and see what the dates for when the SSL certificate was issued.  If that date is April 2014 or later then it is probably safe.  The reason that I say this is that part of the threat is that the private keys for the websites certificate may have been compromised, so websites are getting new certificates and having the old ones disabled.

Finding if the certificate is new is pretty straight forward.  In your web browser such as Internet Explorer, Firefox or Chrome connect to the website in question, I’ll use Google.com as an example.  Once connected to the website find the padlock which shows that the website connection is secure, which I’ve circled below in Internet Explorer, and click on the padlock.

lock

When you click on the padlock you’ll get some basic information similar to what you see below.  Click on the “View certificates” link at the bottom.

view

This will show you the certificate itself, which you can see below.  At the bottom you’ll see the dates which the certificate is valid from and to.  If the from date is in April 2014 or later then it’s probably safe.  You’ll notice that the from date in this case is April 2, 2014.

cert

If you are using Firefox or Chrome the steps will be very similar but the screens will look a little different.

What should I do?

The best thing you can do is change your passwords for all the websites which you use, and use a different password for each website.

As I learn more about this, I’ll post it here.

Denny

1 Thought.

  1. Pingback: Big Challenges in Data Modeling: Ethics & Data Modeling April 24th | Securing SQL Server

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: