aNewDomain.net — Heard about Heartbleed? It’s a bug in OpenSSL. And the vulnerability allows hackers or others with ill intentions to get between browsers and websites. Conceivably, data thieves could get passwords, data, account information, the kind of stuff that OpenSSL cyptographic software was supposed to keep secure.
Heartbleed — it’s named such because the bug is in the so-called Heartbeat extension of OpenSSL, which keeps a secure channel open between servers — has been in the wild since March 14, 2012. No one yet knows if or how many times hackers have accessed it. All experts are advising you do a wholesale password change. And, with this week’s revelation of the two-year-old exploit, it’s time to protect yourself.
Here’s how to protect yourself from Heartbleed and keep your data secure in the process.
First, check to see if your site or other sites you use are vulnerable.
There are a couple of solid sites that will let you know if a site you use has been patched against the vulnerability or is unaffected. The first one is: http://filippo.io/Heartbleed/
Just enter in the URL or hostname of a site to test the server for Heartbleed. Its official name, I should add, is CVE-2014-0160.
The second site I recommend is from LastPass at https://lastpass.com/heartbleed/
Just as before, type in the URL of the site you want to check and test it.
Note that you’ll get some false positives on either of these sites, so it’s a good idea to use two to double check the results. The best results you want are seeing a site is fixed or unaffected, then you’ll know it’s safe to use.
Also keep in mind that you need to check if any previously-vulnerable site has updated its SSL certificate.
If a site was vulnerable once, a hacker could have the keys, and the site needs to change them. A good way to check for prior or current vulnerability is at ssllabs.com, which allows you to perform several tests on a site’s SSL certificate security.
Sites like Google and Yahoo have been patched, execs say. Some weren’t affected. For instance, Microsoft isn’t affected by this bug as the company does not use the OpenSSL cryptographic standard.
But the majority of sites on the web did use OpenSSL 1.0 at some point in the last two years, which is why you want to change your password.
That said, it’s important to verify the site has been patched before changing your password, otherwise it’s not going to help.
To do that, use the sites I mentioned above.
If you get a positive on two sites, I recommend heading to the company’s blog or contacting them directly to see if its servers have been patched.
In fact, over the past few days I’ve been receiving emails from companies announcing to customers that the servers have been patched. Unfortunately, that doesn’t cover you from any security breaches they or you suffered since 2012. Another reason to verify and change passwords, pronto.
Next, set your browser to help protect you from Heartbleed …
You can set your web browser to help you figure out if a site’s SSL certificate has been revoked.
In Google Chrome, just head to Settings > Advanced Settings and scroll down to the HTTPS/SSL header. Tick the box next to Check for server certificate revocation.
Got IE? In Internet Explorer, head to the Security section and verify that Check for server certificate revocation is checked. It should be by default. If it’s not, check it. Then restart your computer to put it into effect.
If you want to know which popular sites have been patched — and if you need to change your password — check out this excellent running list from Mashable.
For more in-depth information on this vulnerability, check out heartbleed.com, the site created by the coders who revealed Heartbleed. Also, read Mat Lee’s deep dive on Heartbleed here.
For aNewDomain.net, I’m Brian Burgess.
Based in Pelican Rapids, MN, Brian Burgess led the relaunch of BYTE with Gina Smith, co-founded aNewDomain.net with Gina, John C. Dvorak and Jerry Pournelle in 2011, and serves as the editor-in-chief of GroovyPost.com. He is the How To gallery captain here at aNewDomain.net. Email him at Brian@aNewDomain.net or Brian@Groovypost.com and find him on Google + and on Twitter as @mysticgeek.
If a “test” gives false positives then it has zero use or value IMNSHO.
[…] Click here for my colleague Brian Burgess explainer on Heartbleed and quick ways to check if youR… […]
[…] and making sure your site and others you use aren’t affected is a great first defense. I showed you how to do that here. But you also need to protect your mobile devices. Here’s how to use Heartbleed detectors for […]
[…] For a nice summary of what the end user should do to protect themselves from Heartbleed, see the always great Brian Burgess, who crafted this gem recently: aNewDomain.net/2014/04/10/protect-heartbleed-guide-gallery […]