The media are reporting on a website security vulnerability which has recently been discovered to be affecting some versions of OpenSSL – the security layer that most ‘HTTPS’ websites use to encrypt data sent between you and them.
In short, the vulnerability, known as ‘Heartbleed’ (after the ‘heartbeat’ SSL extension) means it’s potentially possible for hackers to force websites to release data which could, possibly, include your login details or other sensitive info. In other words, HTTPS ain’t as S as we thought.
|Why on Earth does a security flaw get its own logo?|
The media are treating this as something of an apocalypse, and there’s no doubting that it is a huge problem for websites, and a somewhat smaller problem for users.
First, the vulnerability only occurs in certain versions of SSL. Granted quite popular versions, but still not every site is affected. Many of those that are have already taken steps to patch the hole.
Then, the vulnerability has existed for around two years already. That perhaps gives us an idea that the mere existence of the flaw isn’t itself The End Of The Internet. We’ve all been living with it for two years. Now that’s not to say that if nasty things haven’t already happened that they can’t happen now – of course they could, and so some precautionary action may well be needed.
The media are advising everybody to change all their passwords. That’s half-good advice. I’d say it’d be good practice and a sensible precaution to change your passwords once you know the site in question has been patched. If the site you’re using hasn’t fixed the vulnerability then your new password is as exposed as the old one.
How do you know if any given site has been fixed? The security company LastPass have provided a tool that allows you to check a site for Heartbleed by typing in the site’s URL: CLICKY
Generally, it’s a good idea to change your passwords every so often anyway; you should always use a different password for every account; and make the passwords as difficult to guess as possible. A good password will look something like this: .2jP6mv&lioM_$KZ (No, that’s not a password I use.) You’ll see it isn’t a word; it doesn’t contain any predictable sequences; and it contains a mix of upper- and lower-case letters, numbers and symbols.
Passwords like this represent the trade-off between convenience and security: if a password’s easy for you to remember and type in, then it’s easy for a hacker to find it. That’s bad. But if it’s hard for a hacker, it’s also hard for you. That’s bad, too. To get round this, I use Infinite Password Generator, by Ikitek Software: it’s a small program, available for free, which lets you type in a secret key-phrase and a simple, easy-to-remember password for each site, and then creates a complex password for you to actually use by hashing the two values together. It’s also available on Android, though I’m afraid I don’t know if there’s an iOS version.
Infinite Password Generator isn’t under development any more, as far as I know, so I can’t guarantee it’ll always be available for download; but I figure once you’ve downloaded it, you can keep a copy somewhere safe in case you need to reinstall. Otherwise, there are plenty of other password-generating programs out there; or there are tutorials available online on how to manually create a strong password that’s easy for you to work out when you need it.
One last thing: Any time any concern like this emerges amongst the public, there will be people ready to exploit that concern for their own ends. In this case, I’d be surprised if scammers aren’t already busy sending out emails warning about Heartbleed and offering to ‘fix your computer’ (it isn’t your computer that needs fixing; it’s the websites you visit), or otherwise trying to get you to hand over your money, your login codes, or your bank details. Heartbleed itself is a relatively passive problem. Scammers are very actively trying to deceive you. Don’t be deceived: unsolicited emails offering nebulous solutions to complex technology problems are invariably scams. For that matter, unsolicited emails from anyone you don’t know or haven’t invited to email you are likely to be scams. Don’t let them take advantage of you.