Are You Safe From Heartbleed?
As companies have rushed to find out if they’ve been affected by Heartbleed, and what to do if they were, I’m sure you’ve received emails or read articles about how to protect yourself from this security flaw.
And the question most people have is simply "Is my website safe?" And if your website was built with CelebritySites, we’re happy to assure you that it is! So, if your clients have been asking if their information is safe with your site, you can confidently tell them that your site is secure and their data is safe!
Now that we’ve been able to assure you that your website is safe, let’s talk about what Heartbleed is, and how it happened. Essentially, Heartbleed is a coding flaw in the heartbeat (hence the name) extension of the OpenSSL library. It sends a malicious server request that asks for more information than it needs, which exposes additional memory on the server.
While the hackers can’t control the information they receive, they could end up with anything from encryption keys that allow them to read data to access to information like usernames, passwords, and credit card information. What they receive can also allow them to impersonate a user.
While the developer insists it was an accident (and we don’t even know if anyone with malicious intent knew about or was able to manipulate the bug before discovery), there are a few known instances of the bug being exploited before patches were installed. For example, a 19-year-old Canadian was arrested this week for using the flaw to steal around 900 Canadian Social Security numbers.
The vulnerability may have existed for up to two years, and is said to have affected around 2/3 of the Internet, including major sites like Pinterest, Google, and Yahoo. While the majority of sites reportedly patched, you can double-check sites you’re concerned about via a tool from LastPass.
As for the question of whether or not you need to rush to change all your passwords, the answer is that it depends. If a site hasn’t been patched, the odds are that changing your password now won’t do you much good. If an affected site has been patched, the answer still varies. For instance, Google says you don’t need to change your password, while Pinterest is saying they’ll be in contact with any users they think may be vulnerable. Mashable has a handy guide that compiles responses on how to proceed from some of the Internet’s most popular sites.
Heartbleed was discovered by three security engineers from Codenomicon, as well a researcher from Google Security.