This week’s big news on the security front is all about Heartbleed, a vulnerability in OpenSSL, which is used by many web sites to encrypt transmissions between the machines of users who visit their sites and the web servers. The Transport Security Layer (TSL) protocol – the successor to Secure Sockets Layer (SSL) – is the standard method of protecting sensitive data that’s sent across the Internet, such as banking transactions, credit card purchase information, and personal info such as social security numbers and driver’s licenses numbers required to identify users on government and other sites.
OpenSSL is an open source version of the SSL and TLS protocols. On April 7, the tech world started buzzing with the news that a serious flaw in the handling of memory affects the version 1.0.1 series of OpenSLL prior to 1.0.1g, and the v1.0.2 beta is also affected. This could be exploited to allow an attacker to read data in memory on the web server, which could include sensitive and personal information and passwords. The bug is so serious that a web site has been set up by security company Codenomicon dedicated to providing information about it.
Although it was only revealed a few days ago, the vulnerability has existed in the software for more than two years. Of course, now that it’s public knowledge, it’s more likely that attackers will exploit it. At the time the vulnerability was disclosed, it was believed that at least half a million web sites were affected. Estimates are that 66 percent of the web uses OpenSSL.
Bottom line is that if you have an account on a site that was affected, you should change your password. But how do you know which of your sites were affected? Not all web sites that exchange sensitive information are vulnerable.
Mashable published a list of popular sites that are known to be vulnerable (or not) but it’s far from complete. A more comprehensive list was published by CNET. Facebook, Instagram, Pinterest, and Tumbler are social networking sites that are vulnerable. Google and Yahoo are also on the list, including Gmail and Yahoo Mail. Microsoft and Hotmail/Outlook.com are not (presumably because they use Microsoft’s implementation of SSL/TLS rather than OpenSSL). Neither is Apple. Some of Amazon’s web services (used by operators of web sites) were vulnerable but have been patched; Amazon.com’s commerce site is not vulnerable. The really good news is that major banking and brokerage sites have indicated that their sites are not vulnerable.
If you are concerned about web sites that aren’t on the lists, you can use one of several tools developed to scan sites and analyze whether or not a particular site is vulnerable. This includes GFI LanGuard which you can try out for free today.
Although many of the web sites have patched the problem, it’s very important to change passwords – whether or not the site has been fixed. If you change your password, do so after the site owner announces that it’s been patched. That’s why it’s important to change passwords – whether or not the site has been fixed. But here’s the catch: If you change your password before the site fixes the vulnerability, the new password could be at risk. So do your homework and peruse those lists, and update your passwords after the site owner announces that it’s been patched.
Then when you do change the passwords, make sure they’re strong ones and of course, never ever use the same password for multiple web sites.
Heartbleed and GFI products: Full details can be found in this knowledgebase article.