Manage your passwords and protect yourself from Heartbleed
You've probably seen the news about Heartbleed, the nickname for an OpenSSL bug that exposes random chunks of memory on web servers to snooping by almost anyone, even from transactions supposedly protected in the https:// security mode.
In principle, this vulnerability -- which was quietly present in the OpenSSL library for a couple of years prior to discovery/announcement -- could let malicious parties capture passwords, usernames or even the private keys that big sites use to encrypt all their conversations.
While this is a very serious issue (security guru Bruce Schneier describes it thusly: "on a scale of 1 to 10, this is an 11"), not all Apache sites are affected by Heartbleed -- only those that use the 1.0.x version of OpenSSL without the patch are vulnerable. As pointed out by a former TUAWer Damien Barrett, sites that run OS X server have a
more recent version version of OpenSSL and SSL/TLS encryption that's older (the 0.9 branch); they are are not affected by this flaw.
Though Heartbleed is a gaping security hole in SSL that's been open for several years, it is unlikely that you have been targeted by hackers; in fact, the nature of the bug means that data can only be collected at random, without much targeting short of picking a particular site to harvest. Still, you need to be aware of the flaw so you can protect your data going forward.
Website managers have been aware of the issue for several days now and are in the process of updating their software and security certificates so they are no longer affected by this flaw. Here are some suggestions to help you keep your data safe as the Internet deals with this Heartbleed vulnerability.
Be Careful Where You Login
Avoid logging into websites that contain sensitive information for a few days or at least until the website has been updated with a new security certificate. Services worth their salt will have an alert telling you that their servers are now secure. You can use a couple of online tools to see if a service is still vulnerable: LastPass's screener and the original Heartbleed tester. Mashable also has a list of major sites and their Heartbleed status.
Change Your Passwords
As a precaution, you should change the passwords that you use to login into secure websites that were affected by this bug. It's a daunting task, but one you shouldn't start right away. Wait for websites to update their security status first and then choose strong and unique passwords for all your important sites. You also may consider changing all of your passwords just to be safe -- you should be changing them routinely anyways, so now is as good a time as any.
Use a Password Manager
Use a password manager if you don't already have one. If you have to change passwords, you might as well take the extra time to setup a password manager and store all your logins in a single, secure location. Many Apple owners use 1Password (review), while I personally use LastPass, which has the added benefit of scanning your stored services for the Heartbleed vulnerability. If a site is vulnerable, the tool will let you know whether you should update your passwords for those accounts at this time.
LastPass users with the browser extension installed can click the LastPass icon in the browser toolbar, click the "Tools" menu, and select "Security Check". Users also can login to their vault in their web browser and click "Security Check" in the left-hand column.
If you want to know more about Heartbleed itself, TechCrunch posted this great technical video and here's a little background on why there is a logo and website to spread info about this security issue.
Post updated 1pm ET 4/10.
Subscribe to Newsletter
Software Updatesmore updates
- Dropbox adds file/folder renaming and Office document editing to iOS app
- Vizzywig 8xHD price tag now a very affordable $49.99
- Automatic targets teen drivers with License+ service
- Dropbox adds support for TouchID
- YouTube for iOS gets updated with full support for iPhone 6 and 6 Plus
- iOS 8.0.1 update now available (Updated -- Don't update!)