
What Heartbleed Is & What To Do About It
Est. reading time 4 minutes
There's been a lot of news lately about the Heartbleed website security breach, which has been leaking large amounts of sensitive online information from websites around the world. There are even comics about it. But what exactly is Heartbleed, and why is it so serious? What can you do to protect yourself from it?
We're going to do our best to explain it.
What is Heartbleed?
To understand what Heartbleed is, first you need to know about SSL/TLS. SSL and TLS are the two most common kinds of connections that web servers form with your computer to keep information exchanged over the internet secure and private. SSL and TLS are known as cryptographic protocols, which is a fancy way of saying that they each use a list of security reinforcements—such as encryption and authentication—to protect your data.
SSL and TLS have a lot of different settings and variations, such as the cipher, key size, and so on. (Most website security information pages will tell you the key size they use, which you'll see listed as 128-bit, 64-bit, etc.) These determine how scrambled your information is. SSL and TLS can also be implemented on websites using collections of code called "libraries" that allow programmers to install it in a certain way.
Heartbleed is specifically found in the OpenSSL library. Because it's free to use and very customizable, a lot of web servers have used this library over the years. OpenSSL in turn uses something called the TLS Heartbeat Extension, which is a bit of code that helps two computers—the web server and your computer, for example—stay in sync when exchanging information. "Heartbleed" is the name used to describe a bug in that extension: an error in the code that makes it so that, every time a "heartbeat" (synchronization signal) is shared between two computers, the computer using OpenSSL can leak up to 64kB of random information in its memory.
(XKCD gives a good example of the bug in execution.)
Why is it so bad?
The random nature of the memory leaked by Heartbleed makes it difficult to determine what exactly has been revealed, and from where. Discovered leaks have been determined to contain anything from individual account passwords, to e-mails and private messages, to security keys that could enable hackers to decode any bit of secure information on a given server.
A "patch", or fix, for the bug has been created, but it still needs to be applied individually to each website by the people in charge of each site's web server. And even once the bug has been fixed, there's a remaining problem:
Heartbleed has existed since December 31, 2011, and was widely spread across the internet on March 14, 2012. Estimates say that half a million websites, or roughly 17% of all websites on the internet, were vulnerable to the bug. If you logged in to one of those websites even once during that time period, your account information on that website could be compromised.
That's a lot of leaked information.
What can I do about it?
So what can you do to protect yourself? There's no way to retrieve the data that was leaked, and the Heartbleed bug itself can only be repaired by the programmers in charge of each website's server. (Rest assured that almost all of them are scrambling to get it patched right away.)
As a user on the internet, you can minimize the ongoing damage by identifying your level of risk, re-securing your accounts, and spreading the word. Just follow these 4 steps:
- Write (or type) a list of all of the websites that you've logged into since the start of 2012, particularly ones where you have accounts that contain sensitive information (make sure to include your e-mail providers as well). Write down the address that's used to log in, as well as the main domain name: for instance, if you have Shaw email, you'd want to list both shaw.ca and webmail.shaw.ca.
- Run each website address through LastPass's Heartbleed Checker. The checker will tell you if the site is currently vulnerable, was previously vulnerable and has since been fixed, was never vulnerable, or if it isn't sure either way.
- If a website is currently vulnerable or the checker isn't sure, contact that website's customer support or IT, and ask whether they're aware of the Heartbleed bug and what steps they're taking to fix it. Once you're sure that it's been fixed, log in and change your password (there's no point in doing it before the bug is repaired).
You can also log in and delete your account with that site, though there's no guarantee that this will protect your account data from the leak (it depends on how the website handles deleted account data).
- If a website was previously vulnerable and has since been fixed, log in and change your password. If you have accounts on other websites that share the same password as the one on the previously vulnerable site, change those too (and make them different this time!).
- If a website was never vulnerable, there's no problem (with Heartbleed, anyway) and you can carry on to the next site.
- If a website is currently vulnerable or the checker isn't sure, contact that website's customer support or IT, and ask whether they're aware of the Heartbleed bug and what steps they're taking to fix it. Once you're sure that it's been fixed, log in and change your password (there's no point in doing it before the bug is repaired).
- When changing passwords, try to come up with ones that are long (a minimum of 8 characters), unique (only used by you on that one website), and diverse (containing at least one number, both uppercase and lower case letters, and symbols and spaces if possible). Most people find it easiest to meet these requirements by using whole sentences for their password. (Ones that use names or nonsense words are even better.)
If you find it hard to remember new passwords for so many accounts, consider installing a program like LastPass or KeePass, which keeps a secure list of passwords on your computer.
- Pass these steps along to your friends, family, and coworkers. Even if your accounts aren't compromised, if someone else has put sensitive information about you in their account, you are also vulnerable if their account is compromised.
Follow those steps and you'll have done all you can do to protect yourself from the Heartbleed leak. If you have any further questions about how Heartbleed works or would like to discuss the topic with us, feel free to hit us up on our social media channels.
EDIT: If you use Chrome to browse the internet, there's an extension called Chromebleed that has just been released. It automatically monitors websites you visit for the Heartbleed bug, and alerts you if they're vulnerable.