14/04/2014

Heartbleed – should you be worried?

Daneswood

Exeter Web Design and Digital Marketing Agency - we've built over 900 websites for businesses, charities and public bodies. We specialise in Web development, eCommerce, Digital marketing, Branding, Positioning, Design and Print. Based in Exeter, in Devon, we have clients across the UK. Contact us for help making your marketing more effective.

Over the last week or so you may started to receive emails, seen articles or news reports about Heartbleed and been a bit confused and concerned about what it means if you run a website or even just use a website.

What is Heartbleed?

Heartbleed is an exploit that affects a piece of software called OpenSSL.  This is a piece of code used as the basis for the vast majority of security certificates used on websites across the world.  OpenSSL essentially encrypts information you enter into a website so that it can’t be seen by other users while the information is being passed from your computer to the website.  Typically, this will be used on most websites where you need to register an account or provide privileged information such as name, address, password or credit card details.

OpenSSL is an Open Source programme which, like other Open Source code, was developed by volunteers free of charge.  It is, however, used by commercial providers of security certificates and is embedded in that commercial code.  Unfortunately, back in 2011 a small but significant error was made in the code that potentially allows a third party to access data entered from the server’s memory without anyone knowing.

This bug is effected because OpenSSL has a feature called heartbeat which is exploited by Heartbleed. A heartbeat is a signal that operates between your computer and the website server to confirm the server is active and responding to your data requests.  Data is exchanged between the two and normally the only data sent will be sent back. However, on servers that are affected by this bug, a malicious third party can simultaneously request small packets of data from the server, so that more informtaion is returned than was requested.  Doing this several times could allow them to retrieve a lot more information from the server than you requested.  This could be any data held in the server’s memory.

What does it mean for my website?

The scale of this problem still isn’t fully understood.  Estimates of affected servers have ranged form 60% to 17% of all web servers.  Whichever it is, it’s still affecting an awful lot of servers. If you are a website owner then there’s not much you need to do – most hosting companies will by now have applied a patch to their servers  to overcome the bug.  At Daneswood, we have patched all the servers where we provide hosting, so your website should not be vulnerable to this exploit.  If you want to check on the state of your site then just enter your domain name at https://filippo.io/Heartbleed/

Should I be worried about my data?

The short answer is – maybe. You don’t know for sure which websites that you may have used in the last 30 months could have been affected, or if anyone was aware of the exploit and decided to use it to capture your information. But the chances are that it could have happened so you should consider acting appropriately.

So what to do?  You should do what you ought really to be doing anyway – change your passwords regularly. Most people use a very small number of passwords for all systems they access – which means you are more likely to get hacked, but this exploit should make you consider changing all your main passwords. If you have a Google or Yahoo account then you definitely should, as they have both acknowledged being affected by the bug (although they have subsequently applied the patch). You ought to also change your banking passwords, email and shopping accounts – anything where there might be a financial implication if your account was accessed.

As a matter of course, you shouldn’t be using the same password for more than one service but, of course, most people do.  You may want to consider a password service like LastPass or 1Password which enables you to manage loads of passwords without having to remember each and every one.  They also mean you can use more complex passwords with a mix of upper and lower case, alphanumerics and characters without having to surround your PC with Postits.