News sites and technology blogs are buzzing right now about the next internet security crisis, known as Heartbleed. Before you continue reading, start to make a list of any website or online service that contains your sensitive information, and begin changing important passwords. Let me explain.
SSL/TLS is a means by which websites and users are connected securely. Any time a lock appears in the corner of your web browser window, that means some type or flavor of SSL or TLS is being used to establish a secure connection. Websites that habitually request and store sensitive information, such as Social Security Numbers, credit card numbers, Driver’s License Numbers, dates of birth, identification numbers, email addresses, passwords, phone numbers, physical addresses, and the like typically require trusted users to login on an HTTPS secured website with SSL or TLS security so that the user can trust that only the desired website can see the information.
One brand of SSL/TLS, OpenSSL, has had a big vulnerability up until the recent discovery. An undiscovered loophole called Heartbleed allows cyber criminals and hackers to leech encryption information from your trusted websites in small chunks. Exploited over time, Heartbleed is the equivalent of an experienced lockpicker sitting in front of a safe with hours, or three years in this case, to make his or her way through the key lock.
OpenSSL, designed as a community-operated security alternative to expensive SSL and TLS encryption, has recently released an emergency patch, and will provide permanent closure to the Heartbleed loophole in future versions of the encryption standard. Unfortunately, these changes will only protect against future access; previous illicit access cannot be undone.
Although over two thirds of websites use or have used OpenSSL, not all sites have it or have been vulnerable to a Heartbleed attack. For those who would rather not change all passwords completely, you can check the link in this TechCrunch article to find a list (not regularly updated) of sites affected, or you can go to this Netcraft article and enter the full https:// or https://www. URL for each site you wish to check for vulnerability. On the results page, search/find “RFC6520” and if it appears, that site is or was recently vulnerable. Check to see if a site was vulnerable, and if that site’s vulnerability has been fixed, before going in to change your password. The safest option, however, is to change all passwords.
In addition, the leak of personal and financial information can lead to identity theft. Check your credit report and bank records frequently, and report any suspected cases of identity theft to your local police and to the Federal Trade Commission. For more information on identity theft reporting and the proper agencies to contact, see this Department of Justice page. For more information on Heartbleed, check out this site, created by the team that discovered the vulnerability.