Heartbleed!

Week 6

I know I'm a bit late in discussing this topic, but I feel the need to blog about it so that my normal readers get a chance to hear from me on my feelings about it.

First off, let's start at the source, OpenSSL.  This is a free and open project that collaborates to develop and implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols with a general cryptography library.  This is opened and managed by a community of volunteers that communicate through the Internet (The OpenSSL Project, 2014).  In layman terms, the two communication protocols that help people communicate across a network (SSL & TLS) are used to create an open source security library (everyone can use this code and do what they want with it to an extent).  This library helps encrypt data while communicating on the Internet.

The downside with this project is that it had flaws to begin with.  Supposedly, hackers have been using these flaws against the project and been able to hack into Web sites vulnerable with the OpenSSL project.  Hackers can take those flaws, find out where users have been on the Internet, create fake Web sites, and then the next time the user goes to that Web site, they actually access the fake site that the hacker created for them.  This then allows the hacker to gain information such as User IDs and passwords (Fung, 2014).  This is honestly scarier than it sounds.  If you haven't taken steps to combat this bug, you are very vulnerable to it.

People have been navigating the Internet for years under the assumption that they were safe on sites.  This, as we know now, has not been the case.  Many popular Web sites are vulnerable to the Heartbleed bug, and chances are, you use them even today.  Sites such as: Yahoo, Facebook, Dropbox, Tumblr, Pinterest, Netflix, Amazon, Paypal, Adobe and many more were vulnerable to begin with.  Many have added security patches to help keep this bug from being used against its users but many have yet to do so.

There is a great tool out there that will help you determine if the site you use is safe from the Heartbleed bug.  You can go to https://filippo.io/Heartbleed/ and type in the Web page of the site you wish to check.  It will link itself with that page and run a scan on it.  It will then give you a message.  Make sure you read that message.  Not getting a green message doesn't necessarily mean that it is a bad site.

My suggestion is that if the site gives you a green light, go to that site and change your password.  I also recommend that you get into a habit of changing your password once every 2 to 3 months.  Yes, that does get tedious but it will save you in the long run.  Also, use passwords that are not easy to guess.  Suggestion, use at least 1 capital letter, 1 lowercase letter, 1 number and 1 symbol within your password (that is if the site allows the 1 symbol, some do not).  The more advanced you make your password, the safer you are.

A good site to use when testing your password strength is https://howsecureismypassword.net/.  You can go here, type your password in and it will tell you how long it will take a computer to crack your password.  It's not 100% accurate but it at least gives you an idea of how hard it is to crack your password.  Don't worry, this site does not save a password.  It doesn't even know where you will be typing this password nor does it know the user IDs associated with the password.  You are safe on this site, and the filippo site I provided earlier that checks for Heartbleed vulnerabilities also says it is safe.  Good luck in your quest to better secure your accounts.


References:

Fung, B. (2014). Heartbleed is about to get worse, and it will slow the Internet to a crawl. Retrieved April 20, 2014 from http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/

The OpenSSL Project. (2014).  Welcome to the OpenSSL Project. Retrieved April 20, 2014 from http://www.openssl.org/