I usually refrain from jumping on the common news bandwagon and just reposting already circulating
ideas, but I think the "heartbleed" security flaw is an important enough exception. It is really (really, really) important that people know what this is and how to protect themselves, so I may be repeating information you already knew here.
Heartbleed [http://heartbleed.com/] is a compromise of the Secure Socket Layer (SSL) that drives secure communications on the internet. Essentially, any web site where you may see HTTPS:// as opposed to HTTP:// could potentially be at risk. Any secure communications using SSL based on OpenSSL will be affected. It is a pretty big deal. This xkcd comic does a great job explaining how the exploit works [http://xkcd.com/1354/]
Many companies use SSL to protect and secure their email, IM, and other private data when sending between servers and every one of those secure certificates will need to be discarded and rebuilt. That causes down time and unique maintenance headaches for every server administrator.
Even if companies don't transport information using SSL, their web hosts (all of them) will need new security keys and that involves not only the generation of the cert, but stopping and restarting web services and everything that goes along with that. It is a LOT of work. Elastica Inc has a pretty decent Video here if you want a longer explanation.
BTW… you should change all your passwords.... NOW. Even though you probably do not have any SSL protected data of your own, the servers you connect to *do*. Lets say you use the same password and username for several services - admit it - you do so do that. If some "bad" person used this exploit to get your username and password from a server, they can then use that information in any number of other sites you also use that information on.
This is not just a password hack though. This bug allows the adjacent data from memory (up to 64kb blocks) to be returned from the server unencrypted and untraceable. That means that any other data in the server may be returned to someone exploiting the bug. Scary stuff.
This is being taken very seriously by everyone in the IT world and in some cases, it was easier just to shut down access to all servers while the software was being patched.
If you have any doubt about any service you use, there is a tool here you can use to check if a site has been patched. [http://filippo.io/Heartbleed/]
UPDATE:
I know there are many sites and blogs out there that are saying you don't need to change all your passwords, but I will disagree. If you use a unique password everywhere then sure, you are fine, but if you are one of the millions of people who reuse passwords because it is too hard to remember them all ( admit it, that is you) then you need to change them all. If you happened to reuse a password from your secure and unaffected bank login on a site that is affected, then there is potential for your credentials to have been compromised.
No comments:
Post a Comment