Heartbleed – what is it?April 11, 2014 at 11:16 am | Posted in Economoney, Internet, Media, Online services, Security, Software, Web Apps | 7 Comments
When you log into a secure web site and get “https” and a lock symbol, what you transmit is secure, right? Maybe. About 2/3’s of the web uses OpenSSL and its recently been discovered it’s had a bug for about 2 years.
“Heartbleed has the potential to be one of the biggest, most widespread vulnerabilities in the history of the modern web.”
Security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
While there is a fix and it’s unlikely this was discovered and exploited in the past, the issue now is with sites that don’t have decent maintenance and don’t get updated. Now that the bug is known, some old site you used once long ago may now be insecure. If you have the habit of using the same password all over or using your social media (Facebook, Twitter, etc) logins on other sites, you may have unwittingly shared your access all over. Including to sites that are now secure.
Changing your password on such old sites won’t help in the slightest, contrary to some of the advice floating around. It’s only a useful exercise if you know the site has updated. But you can on sites that are fixed. All the major ones apparently have but there are millions of servers out there.
And the trick is, even server admins may never know they’ve been hacked with this one.
This article explains: Heartbleed Nightmare
You can check a site you use here
This is a great reason not to use the same password on multiple sites and may be a great time to implement a password manager like LastPass, if you have not already.
Not only did Monday bring Heartbleed but there was a security update for WordPress on Tuesday and another for Jetpack on Wednesday. The second 2 are things bloggers should update now. The first you want to be sure your web host has. You really don’t want your ecommerce offerings to go nasty on you.
UPDATE – see comments for more links. It’s also become apparent it exists in many security devices.