The Heartbleed bug is one of the more serious computer security vulnerabilities I have seen. It was discovered yesterday and is just starting to hit mainstream media now, so I will summarise my understanding of it.
It affects some web sites that use HTTPS secure connections. The purpose of HTTPS is, among other things, to encrypt data sent between your computer and the web server, so that anyone who sees the data in transit across the internet cannot read it. So it is used whenever you log in to a web site or enter personal information. You know you are using it when your web browser displays a little padlock icon somewhere.
The bug is in a software library that implements HTTPS, called OpenSSL. Not all web sites use this library, but many do. The bug affects certain versions of the library. Importantly, though, the bug has been in the library since December 2011, and has only recently been detected and fixed.
During this time, an attacker who knew about the bug could send a request to a web server, and get back some random information from the server’s memory that should not be public. This information could be almost anything known by the web server software. It is a lucky dip: the attacker can not choose what information he will get. Importantly, though, it can include server certificates, and user names and passwords of the web site’s users.
Having obtained a certificate, an attacker could spy on data transferred from the user to the web site, including passwords and any information entered. This is not trivial, but can be quite easy in certain circumstances. For example, anyone can sit in a coffee shop and intercept WiFi traffic of other customers using WiFi in the shop, but they will only get information about the other coffee shop customers. On the other hand, the NSA can presumably spy on all data sent to any web site. There will be attackers with levels of sophistication between these extremes. Normally a web browser will shout warnings at you if a HTTPS connection has been intercepted. Having a web site’s certificate enables an attacker to silence such warnings.
User names and passwords can also be obtained directly using the Heartbleed bug. This only happens on certain web sites, and the details retrieved are random. It is not possible to quickly obtain all details of all users. Rather, every time the attack is made, one or two users’ details might be revealed. That said, the attack can be repeated, and in two years it can be repeated a lot. So a determined attacker could gather details of many people in this time. This is real. Users on Reddit were claiming to have seen Yahoo Mail passwords as recently as a few hours ago. Right now, Yahoo Mail is fixed.
So what can you do? Realise that you are affected, but don’t panic. There is a very good chance none of your details have leaked. You can not be certain, but you already were not certain. There are likely many more security holes that are not yet common knowledge. However, on services that you have particularly sensitive information, it would be wise to first check that the bug has been fixed, and then change your password.
You can check if the bug currently affects a given service with an online tool. If the service is at all high profile, it is a fairly safe bet that it is already fixed. But you can not tell if your details or a service’s certificate have been leaked in the past. Unless a service takes action, credentials and certificates obtained in the last two years can still be used by attackers to log in or spy on communications. Hopefully web administrators will communicate whether they have been affected and whether they have changed their certificates, so watch for announcements.
When you change your passwords, now is a good time to stop using the same password for every service you use. Start using a password manager such as LastPass, 1Password or Password Safe. All of these are acceptably safe in my opinion, but there is some interesting discussion on this topic. The great thing is that a password manager will generate a different, random, impossible to guess password for each site you use, meaning that if someone does find out your password to one service, the damage is limited to that service.
If a service offers two factor authentication, where you use a smartphone app which generates an ever-changing code, use that, because it means knowing your password alone is useless to an attacker.
If you run a web server that uses HTTPS and handles users’ information, educate yourself, upgrade, and inform your users.
More generally, if you can possibly arrange to live your life under the assumption that everything you have ever done on the internet could become public knowledge tomorrow, you could save yourself a lot of trouble. Keeping secrets is hard.