This week a new vulnerability was announced in OpenSSL, the library used by most computers to encrypt data sent across the internet. CVE-2014-0160, also known as Heartbleed, essentially lets an attacker pull the keys used to encrypt your data directly from the memory of a vulnerable web server, thereby letting him or her read any traffic sent from that server including usernames, passwords, financial information and more.
Important Facts about Heartbleed
While this might seem like something that wouldn’t affect your small website, keep in mind a few facts:
First, the bug was introduced into OpenSSL about two years ago. No one knows for sure how long anyone, including the bad guys, have known about it according to theverge.com.
Second, many websites you connect to every day including Yahoo, GitHub and others currently use or recently used vulnerable versions of OpenSSL. According to the statistical site Buildwith.com, OpenSSL is used in as many as 9% of the top web sites and, by some estimates, as many as two out of three webservers rely on OpenSSL to encrypt data.
Third, when you access your website through your host’s control panel or use a username and/or password on your site that has been used elsewhere, an attacker may already have your data.
In other words, this one is bad. Anything you’ve sent to any website over the past two years could already be in an attacker’s hand.
What You Need To Do About Heartbleed Now
- Check your website to see if it is still vulnerable.
- If your website is vulnerable and you’re on shared hosting or a managed server, contact your host right away to make sure they are getting it patched.
- If you’re running your own server, patch it immediately. This means making sure you’re using a patched version of OpenSSL. If you’re running an Ubuntu Server you can look here for instructions to upgrade. For CentOS and other Linux distributions, this article offers some help or you will need to contact the distribution vendor for instructions.
- Change all SSL certificates you use on your site. You’ll need to request that they be re-issued from the service where you bought them initially. Re-issuing is usually free, but will take a bit of your time.
- Change your passwords. Start changing the passwords you use on every site you access. Next time you log in, just make it a point to change it. I recommend using 1Password to help you with this. Not only can it generate a strong password for you, but it can make logging in on any website in the future as simple as a couple of keys. This will let you set a different strong password for every site you use without having to worry about forgetting it.
Again, Heartbleed is a serious problem and probably one of the most serious issues facing consumers on the web yet. Fortunately, a fix is already available and all it will take is a little bit of work to make sure you and your customers won’t have anything to worry about in the future.