Security Alert: Many Secure Websites Found Vulnerable

On April 7th, the computer security community had its hair set on fire with an announcement of a new website security vulnerability called the Heartbleed bug.

This is not a technical article, but the broad strokes are important to understand.  Secure websites are protected by a technology called SSL.  Nearly 18% of the websites out there are (or were) running a version of SSL that contained a bug.  This bug allowed attackers to decrypt any information passed to or from the website.  So, for instance, if you were doing online banking with a company that was susceptible to this, if someone could watch of capture your website traffic, they could then decrypt that traffic and read what they wanted.  This may include usernames, passwords, bank account numbers and any other information that you read from, or passed to, that server.  This vulnerability popped up over 2 years ago, so it has been “in the wild” for long enough to be a strong concern.

The total number of websites affected by this bug is estimated at about half a million, including Yahoo!, OK Cupid, Dropbox, Flickr, and Twitter, Tumblr, and Regents bank

[learn_more caption=”Click here for technical details”] The Heartbleed bug affects OpenSSL versions 1.0.1 through 1.0.1f and was introduced in December, 2011.  The vulnerability was introduced with the inclusion of a heartbeat extension. If exploited, the bug will leak a random 64KB chunk of memory from the server.  It can be run multiple times, eventually finding the SSL private key– a.k.a. the keys to the cryptographic kingdom.  This is a non-intrusive exploit, so there is no way to detect whether a server has been compromised or not. Go to http://heartbleed.com for a detailed analysis and thorough FAQ.[/learn_more]

Does this affect my company’s website?

If your website does not offer encryption, then you do not need to worry.  Put another way, if you cannot get to your website by putting “HTTPS://” in front, then you do not need to worry.  If you do offer encryption of your website, then beware.  Here are the steps you need to take to protect your website security:

  1. Test your websiteGo here for a free test. It will grade your SSL security, and tell you if your site is vulnerable to the Heartbleed bug.
  2. If you find your site does have this vulnerability, fix it immediately!  If your website is hosted by a major company, call them and demand they fix it.  The bottom of this page has a list of web server vendors and their instructions on how to fix the problem.
  3. Once fixed, generate new encryption keys and revoke your old ones.  Update your website so you are only using the new keys.  Do this whether you think you’re safe or not.
  4. Alert your users and request or force them to change their passwords on your site.  Alert them of the risk to personally identifiable information.

Does this affect me?

There is a good chance that the answer to this question is YES.  This is a very serious bug that has been exploitable for over two years, so put this in the “better safe than sorry” category.  The better websites out there will be alerting their users about this issue, but don’t trust them to be proactive.  Take the following steps yourself to ensure your protection.

  1. Test the websiteGo here for a free test.  Test your online banking website, your credit card website, your online dating site, anything where you have to put in a username and password and where you keep important information.
  2. If it is vulnerable, don’t log in.  Wait until they have fixed the problem.  Keep an eye on their blog or Twitter feeds for updates.  Or call them and ask.
  3. Once they have fixed the problem, change your password.  See our article on what makes a good password, and how to create strong passwords that are easy to remember.  If you have used this password anywhere else, change it everywhere.  Consider it compromised.
  4. Think about other services that use encryption, not just websites, such as email and instant messaging. All of these use SSL encryption and it is not as easy to test those on your own.  Call your vendors and ask if this bug has affected them.  I have already contact our hosted Exchange provider and confirmed they are not susceptible to this, not should most Exchange providers.  But if you use POP or IMAP email, strongly consider contacting your email provider and confirming.

Check back soon

We will be keeping a close eye on this over the next few days and updating this blog post with any new information.  Please check back for updates.  If you are concerned about something and are not sure what to do, contact us or leave a comment below and we will respond promptly.

UPDATE – APR 10Here is another good site to check if a site is now, or was previously, vulnerable to this.  And if you don’t have the time or inclination to do the work for yourself, check out this site, which has a list of the most popular sites on the web and whether they were vulnerable.

UPDATE – APR 10: According to ZDNet, Google, Amazon Web Services, and Centurylink were all susceptible to this bug.  There is also some evidence that this bug was actually used and exploited several months ago, before it was known about publicly.  Security researchers are calling this an 11 on a scale of 1-10.  I don’t want to cry wolf here and tell you that everything you have done in the last two years is in the public domain now, I’m quite certain that’s not the case.  But do change your passwords everywhere.  You know you should be doing it anyway.  There is no better time or excuse than this.