The Confusing OpenSSL Heartbleed Vulnerability



OpenSSL HeartbleedHopefully by now you have heard about this bug that was announced on April 8th, 2014. If not I suggest that you spend a little time reading about it while it’s still fresh in the news.

OpenSSL is used to encrypt data that passes from one computer or server to another. It’s widely used by various websites and providers. From email, to online orders, financial transactions, etc. This would involve the little padlock secure connection icon that you see in your web browser associated with https secure addresses.

Basically this bug allows someone to extract unencrypted chunks of data that’s supposed to be encrypted. They might not get anything useful, but they may get lucky enough to get a username and password, or other sensitive data.

The confusing part is trying to figure out if a website or service is affected or not. From what I gather this vulnerability is only present in OpenSSL version 1.0.1 – 1.0.1f. Apparently the previous version 0.9.8 is not affected.

Many servers don’t use OpenSSL at all like Microsoft’s IIs. So if you happen to be using some form of service or website powered by one of these it would be immune.

There are also other options to OpenSSL that could be in use, which would also be immune.

According to the experts around 66% of websites do use OpenSSL. However, they don’t clearly state whether that is in general or the vulnerable version in particular. I do know there are a lot of sites that use the unaffected 0.9.8 version yet.

If a particular website or provider is vulnerable you are supposed to change your account password after they apply the fix. Doing so beforehand would be useless and a waste of time.

Trying to figure out what sites may have been affected and whether or not they have patched their servers and regenerated new secure keys is a difficult task.

Some experts are saying you should change your password everywhere. While others say this is only necessary if you hold an account at specific websites. The problem is they only mention what you should do if you have an account at a more popular site.

twitter-openssl-results

You can use the following online tests to check assorted sites to see if they have been updated:
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
http://rehmann.co/projects/heartbeat/

There was a recent article over at MSN that claimed that the Heartbleed bug could potentially affect corporate networks and home networks since certain products use OpenSSL encryption like wireless routers for example. More information on this one here: Heartbleed bug spreads to routers and other gear.

The disappointing thing about this bug is that it was in the wild for around 2 years before it was discovered.

As tedious as it may be, I personally don’t see a problem with changing your password at various websites and providers just in case. However, you do want to make sure that it has been patched before doing so.

There are also lists published of what you should do if you use certain services. Here are a couple that you can check if interested:
http://www.bbc.com/news/technology-26971363
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Things to keep in mind:
When things like this happen you may get phishing emails that are trying to trick you into changing your password by entering a bogus website and coughing up your login details. Never click on the links in these things even if they look legit. Always go directly to a website to login.

About: Jeremy LeSarge - AKA: Ray (191 Posts)

I am the site owner and administrator of DialMe.com. I provide help and tips for Boonex Dolphin on the main part of this website where you will also find an assortment of other resources. Here, on the blog I write about a variety of topics surrounding WordPress, technology, social media/networking, SEO, and webmaster resources.