What is the deal with Heartbleed?

Why is everybody writing and talking about “Heartbleed”? It probably affects more people than any other vulnerability we’ve ever seen. If you have ever logged into any web site, anywhere, your password might have been revealed — and that is just the start. We culled the following information from various reports from outside sources. At this time, any customers of ours who need to take action have been notified.

Last week, U.S. authorities warned that the “Heartbleed” bug of OpenSSL affected a significant portion of the Internet, including major websites such as Google, Facebook and Yahoo. The flaw possibly exposes passwords, credit card numbers and secret encryption keys.

Heartbleed is a massive security vulnerability that could be used if someone knew about it. But to clarify, Heartbleed refers to the vulnerability, but it is not an attack, a hack or a virus. The worst thing is that to date, nobody really knows if somebody actually used this maliciously.

Basically it is like someone left the backdoor to their house unlocked while they were on vacation. When they realized this after returning from their trip, they panic. But nothing appears to be missing from the house and everything seems normal, but there isn’t any way to know if someone came in while they were gone.

Only owners of the services (Google, Yahoo, GoDaddy) will be able to estimate the likelihood of what has been leaked, and are being instructed by the government to notify their users accordingly if evidence is found.

At this point, none of the major companies affected are saying that any information has been used for malicious purposes. However you should keep an eye on your credit card statements just in case and change passwords to all company websites that were affected. For a list of well-known sites that were compromised and have updated their systems, see this Mashable.com chart. Note make sure that the company has fixed the OpenSSL issue BEFORE changing your password.

Will this affect my website?
Most regular small business websites do not have SSL certificates and are not making encrypted transactions on their website. So the good news is that you’re business website was likely not affected.

If you have an ecommerce website, you can call your website host to make sure they have installed the patch and rekeyed your SSL certificate.  Our customer’s ecommerce sites have been patched on the host side.

We spoke with GoDaddy and Fatcow representatives, two of the hosts we regularly use, and they assured us that they have already taken steps to patch the security vulnerability and rekeyed their certificates.

Information from GoDaddy on Heartbleed.

Information from Fatcow on Heartbleed.

Companies that have their own servers need to talk to their IT specialists to make sure patches have been installed and their networks are safe.

Am I affected by the bug?

Everyone is likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey. Your popular social site, your hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services. The good news is that no major banks have been affected.

Has this been abused in the wild?

We don’t know. Security community is deploying TLS/DTLS honeypots that entrap attackers and to alert about exploitation attempts.

Where Can I Learn More?
Read the U.S. government’s official alert. For a detailed explanation of the “Heartbleed” bug, visit heartbleed.com. CNN and FOX Business have reports on the issue. Another article on Heartbleed misconceptions.