Heartbleed nearly mended, but OpenSSL still a problem
WASHINGTON, April 27, 2014 – Heartbleed, the OpenSSL bug that’s caused red flag warnings for internet users everywhere, has been patched by most companies affected and most internet users have been informed to update their passwords.
However, the problems introduced by Heartbleed are far from over.
What it is
Heartbleed is the name given to a software fault in OpenSSL. First uncovered by Neel Mehta of Google Security, this software flaw was an error within the commonly used OpenSSL script – and it’s been around for over two years. I want to point out that, contrary to many reports, this isn’t a virus. Heartbleed is a flaw in the software, a sort of rabbit hole past security.
OpenSSL is a well known open source security software, called “open source” because it ensures confidence through transparency. In the case of Heartbleed, companies have assumed the software was regularly combed through by other expert programmers in other companies instead of combing it through themselves before using it.
In reality, only a small group of programmers are dedicated to keeping an eye on OpenSSL and they’re entirely dependent on donations… which has meant they’re constantly underfunded. Ergo less routine checks. Ergo more potential flaws.
And the among the list of names found employing OpenSSL are tech giants such as Yahoo, Gmail, Facebook, YouTube and more. Most sites have been patched. Still, before changing your passwords I recommend you confirm by reading this article by Mashable. .
What does it mean?
Because of the Heartbleed bug, anyone aware of the flaw could’ve used it to access user/site communication. Secure websites talk in code and Heartbleed allows that code to be accessed – making previously useless “noise” into understandable language. From that point simple scans can uncover content like email and photos as well as passwords.
So – change your passwords. For the most part our Heartbleed woes are over. The bad news, however, is that this whole case means that programs like OpenSSL which were thought to be 100% secure are actually not. The bottom line? Programmers are human, and humans make mistakes. As always, tread carefully.
What to do
Users of affected sites are urged to change their passwords. Some useful password advice comes via James Lyne. Many of us are sloppy when it comes to online security, myself included. This is a good time to correct the error of our ways.
1. Avoid using the same password across multiple sites and services. That way, if breached hackers won’t be able to jump across in to your Twitter, online banking, work accounts or alike.
2. Choose a password that’s not easy to guess. Passwords should be long, phrase based and involve a balance of different types of characters – numbers, letters, capitals and ideally a few symbols.
3. Setup password change/reset mechanisms carefully. Typical reset questions are easy to answer and can typically be mined from social media pages or the Internet — why would hackers guess your password if they can just tell a system where you went to school and how old you are? Instead try coming up with a scheme of answers to these questions that you won’t forget (or store securely) or better still, if the service allows, specify your own difficult questions.