Dennis Pelton / Digital Strategy / April 10th, 2014

Is My Website Safe from the Heartbleed Exploit?

Right now, you can’t browse too far on the internet without seeing something about Heartbleed, but what is Heartbleed – other than frenzied media headlines about two-thirds of the Internet being dangerous?

Let me put you partially at ease: Heartbleed is a recently discovered exploit in the open source cryptography library called OpenSSL, which is used to encrypt secure data on about 66% of the Internet. And yes, it is just as serious as everyone is saying. The exploit uses a programming error in the library’s heartbeat extension to force a remote server to spit back a random 64kb of data back to the attacker.

So why is this a big deal? Well, for hackers, this is like pulling a random puzzle piece out of a box. Realistically, there’s only a very small chance that you’d grab a piece with something useful on it, but if you do it over and over again, you’re bound to get something you want eventually.

And unfortunately, the exploit only affects sites with data that needs to be secured.

Lockpicking_Tools

Should I Freak Out? I Feel Like I Should Freak Out

The one caveat of Heartbleed is that it only returns what is in memory, which is what the server is processing at that exact moment. This is useful because it means that if you’re not actually using a site when a hacker is doing this; your data is still secure. A hacker would need to be exploiting this bug while you were logging in or entering your credit card information.

In fact, only 45 of the top 1000 trafficked websites are still vulnerable to the exploit – but that list includes sites like Yahoo.com and Imgur.com, so you should be careful on any website. However, many popular sites have installed patches to fix the exploit, so you can feel free visiting and resetting your passwords.

So no, you don’t need to freak out or tell your grandparents  to unplug anything with circuitry. However, for the next few weeks, you should be careful what you are sending out on the Internet. Maybe don’t check your online banking every hour to see if that last charge has gone through yet. And you probably you don’t need to order that kitty potty training kit this month. Simple things like these can minimize your chances of being affected by this exploit.

What About my 352-Hosted Website?

The good news is, if you’re hosting with 352, you’re already safe, and you have been all along. At 352, we use SChannel for our SSL and TLS cryptography instead of OpenSSL, so this exploit will not affect clients hosting with us at all. If you’re not hosting with 352, you will need to check with your current host to see if their environment is affected by this bug.

What’s Next?

As this bug becomes more and more popular, more and more tools are being created to identify sites that are vulnerable to this. If you’re unsure of a site’s security, or you didn’t see your site on the list above, you can use this Heartbleed vulnerability scan.

In the meantime, make sure you carefully share personal information – and try not to change any passwords until you are sure a site is secure or get an all-clear message from an important site like your bank or investment account. If you change a password while a hacker has an active connection to a site, you may just be giving them your new password and then feeling secure for the future.

  • http://www.themanningfam.com Brian Manning

    Great Article! Very well put! 🙂

  • http://www.wimpyprogrammer.com/ Andrew Keller

    Far more troubling is the speculation from security professionals that the leaked memory contents may include the private key of the SSL certificate, allowing a malicious party to intercept and decrypt secure packets.

    Moreover, someone who has collected secure packets in the past can retroactively decrypt them (probably no more than a year’s worth) using the stolen private key. Not to sound like a crackpot, but the NSA is known to be tapped into backbone Internet lines (see Room 641A) and is likely storing data that they can’t read yet. The exposure of private keys could open a wealth of information to them, even if the affected SSL certificates are revoked and reissued. This is why browsers and servers that support Perfect Forward Secrecy are increasingly necessary.