Yes, it’s just about as bad as it sounds. Above all, it’s not a medical condition, and no one will die from it.
In a Nutshell
The Heartbleed Vulnerability (formally known as CVE-2014-0160) is a severe problem. As a result, techies and consumers alike need to know about it and take action.
The vulnerability is severe. In short, the Heartbleed Vulnerability allows malicious users to potentially see credit card numbers, usernames, and passwords, or other personal information submitted over what looks like a secure (HTTPS) connection. Additionally, it also exposes security keys. A patched server with an old SSL certificate is at risk for being compromised.
The vulnerability is pervasive. Approximately 66% of all websites run on Apache or nginx. These web servers use OpenSSL. Some portion of those servers are not affected (oddly enough, the old versions are less likely to be affected), but there are a lot of major sites that were vulnerable as of April 8 including Yahoo, Flickr, StackOverflow, Eventbrite, Entrepreneur.com, and Fool.com. Popular sites (Google.com, Youtube, Facebook, and Wikipedia) fixed the issue before April 8.
The vulnerability can be exploited without leaving evidence. Some companies state they were not compromised before patching their servers. The trouble is, an exploit of this vulnerability leaves no trace. The evidence is not something they could have had.
The vulnerability requires action from EVERYONE. Yes, even you. You should change your passwords on most of the sites you use. The owners of those sites may not tell you if your information has been compromised or not.
So what should you do about it?
As a result, if you are a consumer, remember – your information is at risk. Criminals have the ability to capture your information. Protect yourself:
- Change your passwords on any and all sites that contain sensitive data after your service providers patch the vulnerability (see below for the work they need to do). I’m going to change my passwords at least for my bank, PayPal, Amazon, and LastPass accounts. I use LastPass to manage passwords, and you should too.
- Monitor your credit card and bank activity. Report suspicious charges to your bank promptly (always a good idea, not just at a time like this).
- Contact your website service providers to make sure they have patched and tested their servers. Without the proper precautions taken by them, your passwords and information would remain vulnerable in the future.
Rather, if you are a developer or system administrator, you need to patch your servers to protect your customer information. Protect yourself and your customers:
- Update OpenSSL to a version without the vulnerability. Check heartbleed.com for a list of OS and OpenSSL versions affected and not affected, and test again after an update. On Ubuntu running Apache, as an example, you can update your server with this string of commands:
sudo apt-get update && sudo apt-get install openssl libssl1.0.0 && sudo service apache2 restart
- Revoke, Re-issue, and Re-install SSL certificates on affected servers. A vulnerable server can compromise your private keys. Those keys can decrypt any data your customers send to your website through SSL. You need to create a new key and request a new SSL certificate from your vendor and install it on your server.
- Contact customers and request that they reset their passwords. No, it’s not fun to tell anyone there’s a vulnerability. But your customers should thank you for contacting them and being transparent. You can even suggest they read more about Heartbleed here. You can also advise them to change their passwords on other sites.