A security flaw now known as the Heartbleed Bug, because of the specific feature it exploits (called Heartbeats), was discovered by the security community recently. In this post I will give a brief explanation and a list of some vulnerable sites that you should be aware of, but first, thankfully, I can provide some reassurance.
www.fostering.net is safe from the Heartbleed Bug.
The operating system on our server is a version without this vulnerability, and your private data is still secure.
I’ll go into a bit more detail about this bug below.
What is SSL?
SSL - Secure Socket Layers - is a common method of encryption. The best analogy I have seen to describe SSL is this:
You have some sensitive information you want to somebody without anybody else seeing. You could write it down on a piece of paper and hand it to them, but if anybody was watching from nearby they would be able to easily see what you wrote. Instead, the safer option would be to use a locked container to which only yourself and the intended recipient. You place your sensitive data in the container, lock it, and pass that over. The recipient then unlocks the container with their matching key. The eavesdropper might see the container being passed between you, but cannot see the contents inside.
An SSL certificate is essentially an way to securely identify a recipient and confirm that, yes, they should have the other key to your locked container.
You can check our SSL certificate by clicking on the little lock icon in the address bar when visiting https://www.fostering.net.
What is the Heartbleed Bug?
The Heartbleed Bug is a weakness in a feature called Heartbeats, which was added to the popular OpenSSL software in 2012.
It undermines the security provided by SSL encryption not by cracking the encryption directly and listening to communications from the start, but by providing access to the memory of the servers. From there, the attacker can find not only recently received data and content, but also the private keys to the site's SSL encryption. This would allow the attacker to eavesdrop on future communications indefinitely, and also to impersonate the targeted site by mimicking their SSL certificate.
Which sites were affected?
The folk over at Mashable have compiled a list of affected popular sites and are trying to help you decide whether or not you should change your password. (This is based on a script written by someone going by the name musalbas, and you can check their full list of 10,000 sites if you want to.)
Some sites may no longer be vulnerable.
Here are some of the biggies:
If you took up the suggestion in my last security blog and installed LastPass to manage your passwords, you’ll be pleased to know that they’ve already added the Heartbleed Bug to their Security Check. This security check includes information about whether or not a site has updated their SSL certificate.
What can you do?
Peruse the list of sites above (or use control+F to search for specific sites), or use the LastPass Security Check to find out which sites that you use have been made vulnerable by the Heartbleed Bug. Then, keep an eye on announcements from those sites - or email them directly and enquire - to find out when they’ve patched up the vulnerability and renewed their SSL certificates. Remember that it’s not until the SSL certificates are renewed that security is guaranteed. If somebody stole the keys to that secure box when the vulnerability was open for exploitation, they will still have them once that vulnerability has been fixed.
Once you can confirm that the site has both applied patches to remove the Heartbleed Bug and renewed their SSL certificates, it should be safe to change your login information. The good news is that the ‘bigger’ the site is, the more likely it is that they’ll act quickly. Some sites may already be completely safe again!