Heartbleed – The Basics

heartbleed.jpgThere has been a lot of publicity recently about the Heartbleed Bug, but a lack of a basic explanation of how it affects people and what they can do about it. The advice and information given out by security companies should be considered more expert than this page, but this is an attempt to make the information more accessible to the non-technical.
A Q&A page answering some questions about the bug can be found here http://heartbleed.com/ . It may, however, be too technical to be useful to many.

OpenSSL is the technology used by many, but not all, sites on the internet that encrypt data to protect it during transmission. The bug means that it is possible for someone to access the data that is encrypted by affected versions of OpenSSL. It does this by compromising the keys used to encrypt the data. The versions of OpenSSL that are vulnerable in this way have been around for a couple of years so many sites around the web are affected.

What can you do?

There is a limit to what you as a user can do to protect yourself from this, as it is mainly based at the website end rather than at your computer (although routers and other devices can also be affected). However, if you want to be as safe as possible you can change your passwords for affected sites. This will only work if the site in question has fixed the bug in their system by updating their version of OpenSSL, so go to the website and check first, or consult the lists mentioned below. Changing your password before the site has been fixed will be wasted effort.

To find out whether a particular site is vulnerable, users of the Mozilla Firefox can download and install an add-on that automatically checks sites from here https://addons.mozilla.org/en-US/firefox/addon/heartbleed-checker/

Other users can test whether a site is vulnerable or has been fixed by going to this site https://lastpass.com/heartbleed/ and putting in the address of the site in question.

Check the organisations with which you hold sensitive information, ie banks, social media and email. If they were affected but have now issued a fix, change your password. If they are affected but haven’t patched there’s not a lot you can do yet. A list of a lot of major websites and whether they are affected can be found here http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Home routers can also be affected, so it is worth checking the website of the manufacturer of your router to see if it is affected and if there is an update for the router firmware available.

Some websites have been proactive about informing their users of the dangers of Heartbleed, often by emailing and requesting that users change their passwords. It is important that you do not let this take precedence over advice you may have been given not to click on links in unsolicited email. It would be very bad practice (although some sites including Mumsnet have done it) to email users and request that they click on a link to change their password. Do not click on these links. Go to the site in question and do it from there. It would not be at all surprising to find senders of spam and “Phishing” emails sending out fakes email over the next few weeks claiming to be legitimately requesting you to change your password in an attempt to get you to give it away. If in doubt, hover the cursor over the link and the real destination will be shown in a little pop-up box, or in the bar along the bottom of your browser or mail client window. If it doesn’t look right or you are in any doubt you should never click a link in an email.

That’s about all you can do, I hope this helps!