So yesterday I paid for pesto with cash instead of my credit card, because of Heartbleed. I started the morning with an urgent message from my friend Thomas O’Dell, who was especially concerned about alerting our friends in the cvil service. Not about pizza orders to sure, but internet security. A quick check was enough to make me turn to cash.
Reputable sites were describing Heartbleed as “one of the biggest, most widespread vulnerabilities in the history of the modern web.” Holy cow!
“OpenSSL [which provides security protocols] runs on 66% of the web. … [and] chances are, you interact with it several times a day. That interaction can be as simple as entering in a password for an email account or as complex as sending a private message or photo or even filing your taxes.
…this vulnerability has actually been around since December 2011. Lots of software packages started using the vulnerable version of OpenSSL in May 2012. So for two years, any app, website, bank or private messaging app that uses OpenSSL has been vulnerable to this bug.”
To learn more, Google “Heartbleed”, search twitter or read Heartbleed.com for the bad news:
So this morning I checked my restaurant site using the LastPass Heartbleed checker and was informed that:
“The SSL certificate [for the restaurant] was valid 1 year ago at Dec 3 00:28:51 2012 GMT. This is before the heartbleed bug was published, it may need to be regenerated.”
Well, I do hope small businesses in Singapore are getting help from IDA or their ISP or webpage vendor to sort this out immediately. [Update from CNA (10 Apr 2014): “IDA is urging all website owners in Singapore to heed the advisory issued by SingCERT]
CNET consulted experts and suggests we do not log into accounts from afflicted sites until we are sure the problem has been patched. So wait until notification (48 hours?), then change your password!
This recent Mashable article lists sites which have initiated a fix already. But they have yet to inform users. Knowing this, though, it is time to change your password, in case a compromise was experienced, even if theft of data has not been detected:
- Google, GMail (has two factor authentication)
- Dropbox (has two factor authentication)
Regular changes of secure passwords can be tiring and difficult and all the more so with multiple devices, unless you get help from a password manager. I am now making proper use of 1password by AgileBits who happily report that 1Password’s technology is not built on OpenSSL and so it’s encryption remains safe.
I do suggest to my students that they use the free LastPass and to study the basics in order to use it well. Mostly they ignore me(!) but they might be a little more interested now. Thus episodic problems like these are ultimately helpful.
Oh, if you already have a LastPass account, it is now time to change your password too! LastPass fixed the problem and integrated a check for Heartbleed vilnerabity.
Once you have a password manager app, generating new secure passwords are easy to frequently do, but it will require some dedication. Still, if that’s all we need to overcome Heartbleed, technology can recede once again into the background.
Update: See “Heartbleed bug: What you need to know,” by Jane Wakefield. BBC News Technology, 10 Apr 2014.