What You Need To Know About The Heartbleed Bug
A vulnerability in OpenSSL called Heartbleed was discovered this week affecting websites across the internet. The breach allows anyone on the internet to dig up passwords and content sent on seemingly secure websites. Any site or service using the latest versions of OpenSSL, from 1.0.1 to 1.0.1f, may have been hit.
“It’s probably the worst bug the Internet has ever seen, said Matthew Prince, CEO of CloudFare. Nearly 66% of websites utilize OpenSSL, making the impact of this bug widespread. The worst part is that the flaw has been around for the past 2 years, so a site could have been infiltrated at any point within that time frame.
What is OpenSSL?
SSL stands for Secure Socket Layer and is used to make sure no one eavesdrops on you during your online communications. There are several implementations of SSL the most popular being an open source implementation called OpenSSL, where the bug was found. OpenSSL is the default cryptographic library in Apache and nginx, which power almost two-thirds of all active websites. The Heartbleed bug opens the door for attackers to hack into a webserver, grabbing its treasured SSL Certificate, the way a site proves its identity on the internet. This allows the intruders to take information from emails, passwords, instant messages, and even business documents.
What Should I Do?
For sites hosted by Horton Group, we have taken the necessary steps to guard against the Heartbleed bug so that our servers are no longer open to attack. Only two of our shared servers contained the bug, so the majority of our clients were safe. Even so, we rekeyed all SSL certificates we purchased for clients, so they are protected. If clients asked us to install their own SSL certificate, they may still need to be rekeyed. Once you are sure your server has been patched, we recommend that you change your passwords.
Here is a tool you can use to find out whether a website is vulnerable to the bug or not. You can also check through this list of potentially vulnerable websites. But keep in mind that, just because a website is not currently vulnerable, doesn’t mean it wasnt previously affected. To be on the safe side, you should change your passwords on all sites that have been corrected. Recently LastPass created a tool letting you know which passwords you should change based on if the site has been updated or not.
To find out more information about Heartbleed, you can visit Heartbleed.com.