The Heartbleed Security Bug – Should I Be Worried?
You will have doubtless heard in the media about something called the Heartbleed bug. In a nutshell, it’s a security vulnerability that has affected a vast number of computer servers. But is it something that you personally need to be worried about, and, if so, what should you do about it?
This blog post discusses the Heartbleed security vulnerability in more detail, and aims to give you information and advice on what you might need to do if you’re affected by it, either directly or indirectly.
What exactly is the Heartbleed bug?
Heartbleed is the colloquial name given to a bug report called “CVE-2014-0160” for the OpenSSL cryptographic library. The reason why this is making headline news in the world’s media is that it is a major security vulnerability in what is widely used on the Internet’s Transport Layer Security (TLS) protocol.
In layman’s terms, if you try to access a website that uses the TLS protocol (i.e. it would have “httpss://” in the address bar), the underlying software behind that protocol could possibly be vulnerable to hacking attacks from the rogue elements of society.
We are often told to make sure any websites that process or collect personal information from us, such as usernames and passwords, credit card details, address data and so on, use the TLS protocol to encrypt that sensitive information because any data sent over unencrypted web forms (websites that have “https://” in the address bar) is sent in plain text.
Obviously if a massive security hole such as the Heartbleed bug is known to the world in this supposedly secure data transmission environment, it can have huge implications for a lot of things that we do online on a daily basis, such as using our online banking, sending and receiving email, and so forth.
Should I be worried about the Heartbleed bug?
In a word, possibly. The one saving grace about this whole saga is that the developers of the OpenSSL cryptographic library released a patch (security update) on the 7th April 2014, and only made public this vulnerability on the same day.
Many well-known online services vendors such as Google have been working behind the scenes to update this library on their servers before the announcement. I would recommend visiting the websites of any secure online services to learn if you might have been affected by this security bug.
Can I check if the websites I use have been patched yet?
Absolutely! There are many websites such as Norton Safe Web’s Heartbleed Check that can tell you whether the websites you visit have had their OpenSSL cryptographic libraries patched or not.
For each website you visit, all you have to do is simply type in the URL (website address) into the checker and it will instantly tell you whether it is secure or vulnerable from the Heartbleed bug.
Should I change my passwords?
There is mixed debate about whether you should do this or not. If any of the websites you visit are known to have been affected by the bug, you should first determine whether their web servers have been patched by using a Heartbleed vulnerability checker such as the one linked to above.
Once you can confirm that the site is secure, you should then log in and change your passwords.
The BBC are also reprting a new threat of a cyber-attack.