What to do about the ‘Heartbleed’ SSL vulnerability


On April 7, 2014 we learned of a vulnerability in the OpenSSL security system that you know is in operation when the webpage begins with https instead of http. It is the encryption system used to protect confidential information such as passwords and most sites that deal with sensitive information use it. This vulnerability allowed third parties to intercept and get that information.

When I write about computer security I know that I am hopelessly out of my depth but like most people I have been stymied by the conflicting advice about what to do about the latest ‘Heartbleed Bug that enables someone to get large amounts of information from servers and not leave any trace. While this has caused great alarm, it is not clear what any ordinary person should do.

Some have rushed to change their passwords immediately but apparently this is not advisable until patches are installed to fix things. Some have recommended that you wait until you hear from that company that it is safe to log in and that you should then change the password. Others have said that that companies may not contact you and furthermore, unscrupulous people take these panicky opportunities to send out fake emails as if they are from the companies and when unwitting people click on those links, they are actually giving their information to the wrong people.

Here is what I have learned and I hope the much more knowledgeable people in this blog’s readership will chime in.

Not all sites have the security flaw. Here is a list of popular sites that may have been compromised. I got an email from my university that they have checked our system and that we appear to be secure and that they are not asking us to change passwords, not yet anyway. They also gave a link to a site where you can test the SSL system of any company you do business with and see if there is a security risk there by inserting that site’s URL into the search box. For example, it says that my bank site secure against the Heartbleed bug.

What I am doing is not logging into any site that has the kind of information that infiltrators might want (like banks) and that require a password until I have first checked that site using the above link.

Stephen Colbert is also panicked about it.

(This clip aired on April 9, 2014. To get suggestions on how to view clips of The Daily Show and The Colbert Report outside the US, please see this earlier post. If the videos autoplay, please see here for a diagnosis and possible solutions.)

Comments

  1. says

    not logging into any site that has the kind of information that infiltrators might want (like banks)

    Seriously -- do not do online banking over the internet.

  2. lanir says

    This is only about passwords and not advice on when to change them. The post itself has links to information on that.

    I’ve been slowly changing all passwords. Takes awhile but it was about time for me to cycle through and get new ones anyway. Some useful advice about passwords when you do change them:

    https://xkcd.com/936/

    Some places will require mixed case, numbers, and/or special characters (punctuation, etc.). Add those in as needed. It’s all just a numbers game though. In the 90’s we were stuck with only 8 characters in a lot of places and the more variety you used with them the better. Now there’s not much to limit your password in most places and adding a few more characters makes a much bigger difference in how hard it is to brute force (translation: have a computer randomly guess it) while not necessarily making it any more difficult to remember.

  3. mordred says

    For me it was also time to change my main passwords anyway, so no big deal. I checked the sites for vulnerability with a service like the one Mano linked in his post and if the server seemed secure, I changed the password.

    I don’t intend to change all my passwords! I started with the ones for well known site where someone can do real damage with my login, banking, Amazon, Paypal etc, Then I thought about the number of forums where I’m registered under an alias or small web shops where I once ordered something -- and decided to skip these for now. What’s the damage if someone posts crap under my anonymous account one some fantasy forum I have not visited in years? (Assuming these old accounts is still valid)

    The same with a number of customer accounts with some obscure web shops. What are the odds someone hacks the gardening shop I ordered some supplies this spring and uses my account to buy some really expensive flower pots?

  4. lorn says

    Rule number one for security is to do important things in person. ie: I bank in person and the teller has a picture of me and a picture of my signature. It also helps that I bank with a local credit union. Fact is that hackers are lazy, they are highly unlikely to drive to the location. Of course, if they do they have to enter the building, go through the double security doors, have your face photographed, and look the teller in the eye. When you leave there are cameras that are likely to get your license plate numbers. Whereas a virtual holdup is quick and getting away is easy the real world is messy.

    After a bunch of media claims about how people could hack the power grid and destroy equipment I asked a gentleman I know who works for the local power company how they secure their equipment? He answered that their power plant wasn’t computer controlled or hooked up to the internet or phone lines. To hack the plant you would need to physically enter the plant and get your hands dirty.

    Similarly I asked a locksmith what lock was hardest to pick? He answered that a skeleton key lock from the 1600s was just about impossible to pick with modern tools. Those are large locks that took more force to work than a standard lock pick can deliver without breaking.

    Sometimes the old ways are more secure.

    Of course most passwords are easy enough to brute-force determine. But they needn’t be. Put a timer on the password so that there is a two second delay if you get the password wrong you have to wait two seconds before you can try again. Given 1000 tried a second you can brute -force a password. At two seconds a try, figure it takes two seconds for a human to enter it by hand, the human is not burdened but an automated system is. If you want to get mean start at two seconds for the initial failure and double it with each failure. Forget about a thousand tries. At ten failures the computer has to wait over 17 minutes to try again. Even simple passwords become formidable obstacles.

  5. Dunc says

    Some places will require mixed case, numbers, and/or special characters (punctuation, etc.). Add those in as needed.

    There’s a great deal to be said for always including those (whenever allowed), because they dramatically increase the search space for a brute-force attack.

Leave a Reply

Your email address will not be published. Required fields are marked *