The online world is buzzing with concern over the latest big security scare – the Heartbleed bug.
The problem is in a piece of critical, and widely used, encryption software called OpenSSL. The bug allows an attacker to sift through the short-term memory of a server (the RAM, not its disk or database files). Software bugs and their attendant security problems are nothing new, but this one is creating a bigger stir than usual for a few reasons:
- OpenSSL is the software used for SSL security on the web. Estimates are that about 2/3s of all secure sites use OpenSSL.
- The bug has been around, undisclosed, for a long time. It was introduced in late 2011, so many systems have been vulnerable for over 2 years.
- Attackers who exploit the bug leave no trace. Web site owners can’t know for sure whether their site was compromised.
The Good News
Happily, the bug is not complex, and the maintainers of OpenSSL published a patched version quickly. It’s straight-forward for system administrators to determine if they are vulnerable, and the patch was safe to apply quickly and didn’t cause other compatibility problems. Now, 48 hours after the disclosure, much of the web has been patched.
What Does it Mean to Me?
Sadly, you cannot know if any of the sites you visit were compromised. The error is only in server software, so you do not need to update software on your computer.
However, your passwords or other information might have been stolen, from any site you visit which uses SSL. It would be a good idea to change your passwords on all of those sites. This can be quite a chore for those of us with dozens of passwords for different web accounts, but you probably haven’t changed those passwords in a while anyway (like since you first signed up) so now is as good a time as any. A couple notes of caution about this:
- If you change your email password, remember that you may have several devices which access that account (desktop, phone, tablet). Do this when you have the time to change the setting in all of your devices, not on the way out the door for a business trip.
- Do not use the same password for multiple web sites. Using a common password is how a determined thief or vandal can gain control of your entire digital life. Separate passwords for different sites makes it much much harder for someone to do lasting damage.
- Don’t set a new password on a web site until you know they are patched. You can check to see if a site is patched via this link: http://filippo.io/Heartbleed/
What is SWCP Doing About This?
We learned about the exploit on Monday evening and started patching servers right away. Throughout Tuesday we continued patching our own and our customers’ servers, and now have all the vulnerable systems patched.
If you want to change your SWCP password, you can do that here: https://members.swcp.com/
Next for us will be working out re-keying and re-issuing SSL certificates for our customers who have them. That process will take a bit longer, and could only be started after the software patching was completed.
And finally, the great sage of the digital age, the XKCD comic strip, sums things up nicely: https://xkcd.com/1353/
Update – 4/11/2014
We are well into the process of re-issuing all SSL certificates for our web publishing customers who have them. All *.swcp.com sites have new certificates. As the situation has developed, the consensus advice is that all users should change their passwords over the next couple of weeks. Before changing the password for a site, be sure to verify that they are fixed (via http://filippo.io/Heartbleed/). It is safe to change your SWCP passwords any time.
If you have a lot of them, just do a few each week. Start with your ISP, all your email accounts, and any financial institutions you have online accounts with.
There is a new XKCD comic out today which has the best lay person’s description of how the Heartbleed bug works. If you are non-technical, or need to explain this to someone non-technical, this picture is worth thousands of words: http://xkcd.com/1354/
If you have any questions about Heartbleed, please give us a call or email us: firstname.lastname@example.org