By: Dan Bremner
You’ve likely seen media coverage of the recent “Heartbleed” security issue. We have received a lot of questions about it, so I figured a brief FAQ might be helpful.
Q. This looks too long and I don’t have time to read it. Should I change all my passwords?
A. Yes, that is a good idea. This is especially important for websites that have credit card or banking information, or places where you’ve re-used the same password on multiple sites. Your Windows/Domain password is less likely to have been compromised, but it still wouldn’t hurt to change it, especially if it’s the same as a password you’ve used elsewhere.
Q. What is this “Heartbleed" flaw?
A. Most websites that deal with sensitive information (i.e. e-commerce, online banking, etc.) protect that information from unauthorized access using SSL (secure socket layer) encryption between your browser and the web server. OpenSSL is one widely-used implementation of SSL that is used by many websites. Specific versions of OpenSSL were discovered to have a flaw that could permit an attacker to see some of the encrypted data in an unencrypted form.
Q. Who or what is vulnerable?
A. Not all websites that use SSL are using OpenSSL. OpenSSL is just one programming library that exists to implement the SSL protocol. However, OpenSSL is widely used, with some estimates putting it at over 60% of all SSL-enabled websites. Notably, Microsoft’s IIS servers do not use OpenSSL, so Outlook Web Access, Remote Desktop Gateway, and Office 365 connections were not at risk. Not only websites, but also any apps that communicated via SSL to a vulnerable server could have been compromised.
Q. What’s the problem with using the same password on multiple sites?
A. If one site is vulnerable to this security hole, and your email address and password are obtained by an attacker, they can go try that email/password combination on other sites. Password-guessing programs are pretty sophisticated now, so chances are good that they’ll try variations on that combination also.
Q. Why am I reading advice to change ALL my passwords?
A. This flaw existed for 2 years or so before it was detected and fixed. It’s possible that attackers could have discovered and exploited it at any time during those 2 years. It’s hard to tell if a site had the vulnerability at any time during the last 2 years - all we can look at is whether it’s vulnerable now. Changing passwords periodically is good security practice anyway, and better safe than sorry is the thinking behind that advice.
Q. I have dozens or hundreds of passwords on various websites and online apps. How can I possibly keep them straight if I’m not supposed to re-use the same password, or variations of it?
A. That’s a good question, and it highlights the inherent weakness of password-based security. One solution is to use a password manager, such as LastPass, KeePass, or 1Password, and let those programs suggest and maintain complex, random passwords for your online accounts.
Q. Where can I go for more information?
A. Mashable has a list of affected sites and recommendations for which passwords to change.
LifeHacker has a lot of good information, including this guide to what constitutes a “secure” password, and this one about why its best to have a password you can’t remember.
Here is a Heartbleed test that will report back if a site is vulnerable. It is best to wait to change your password until the site has patched OpenSSL, and ideally, has re-keyed its SSL certificate.
Finally, if you want all the geeky details, see http://heartbleed.com for more information.
We have audited sites for our Managed IT clients and notified any we found that had vulnerable code. If you have specific questions about your situation, please feel free to give us a call.
Leave a comment!
You must be logged in to post a comment.