Has Heartbleed Compromised Your Passwords? You Can Still Fix This
Earlier this week a new bug named Heartbleed was uncovered by a Finnish security firm Codenomicon and an Google researcher. It is being claimed that, although, being around for almost two years, this is the first time, it has been detected. Since detection, it has gained world-wide attention, but experts are still unsure about the damage it might have caused or how much data has been leaked in the meantime.
The bug is meant to cause a hole in the encryption technology adopted by email, e-commerce, instant messaging among many others. It leaves a flaw in SSL/TLS variant OpenSSL(which is also the most popular on the Internet), an encryption used by many, which you normally see on a browser address as “https:” which indicates the security of the data transfer. The vulnerability in the encryption technology allows anyone(with proper knowledge) to snoop in on the traffic and also allowing him to keys to decipher the encryption without any knowledge of the webmaster. The data that can be stolen can be your passwords, business documents (and instant messages) etc which might amount to a huge loss for businesses.
If the idea hasn’t already ran across by now, you should be wondering if you are affected by this. Well you might or might not be. The question is, if the websites you use have fallen prey to this or not. According to Tom’s Guide, some of the confirmed victims were Yahoo, Flickr and Tumblr. So if you use any of these, you should consider changing your passwords right away. It has also listed a number of prominent websites that have been affected, or were vulnerable, or are not vulnerable to the flaw. Have a quick look at the image below and if you find the website you use in danger zone, it is highly recommended that you change your passwords as soon as possible. Apart from websites, operating systems like Linux were also affected by this. Good news is most websites using Microsoft servers weren’t affected by Heartbleed.
You as an user or a website owner can always verify with the system administrators (for the websites you share private information with) about the recent status of their servers and if they were affected, whether or not they have applied the patched version of OpenSSL to it. If you are a webmaster you can try the Heartbleed Test for you server and apply the necessary patches to fix. Users can also go to this GitHub page compiled by LulzSec hacker Mustafa al-Bassam that lists top 10000 websites as per their Heartbleed status. For other websites, you can try using this Netcraft’s tool or LastPass Tool.
- Change your passwords.
- This is also a good time you realise the validity of a 2-factor authentication, like Gmail uses. Set up the two way authentication wherever you can.
- Log out of all your mobile apps and log back in.
Lastpass, a password management tool has announced that they will inform users whether or not to change the passwords for websites saved on their app. Experts are still in the process of evaluating and fixing the damage. So if you get any password change emails from websites you use(verify the email source as well) do take action at the earliest. However, be warned that people with bad intent are also on a watch to exploit the flaw during this hullabaloo. So don’t get trapped in between. I just hope that there are no more undetected more Heartbleed’s out there. What do you think?