COVID-19 UPDATE

OUR FULL TEAM IS AVAILABLE ONLINE

We are ready to assist you with any website and digital marketing requirements. Please get in touch if you need a hand.

search

Learn

Abilash
Abilash

The Heartbleed security bug, is my website affected?

The Heartbleed security bug, is my website affected?

Posted in E-Commerce, Information Technology, Internet Security, Website Hosting by Abilash on April 10, 2014

So what is this Heartbleed bug and why all the fuss?

heartbleed
Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes. It allows a hacker to read the memory of the servers/websites protected by the vulnerable version of the OpenSSL software. This compromises the secret keys used to identify the service provider and encrypt the traffic and the data which may contain usernames and passwords. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

It was discovered by a Google researcher and an independent Finnish security firm called Codenomicon. The researchers have put up a dedicated site to answer common questions about the bug. They even gave it an adorably gruesome custom icon!

Why the name Heartbleed bug?

The bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520) and hence the name.

So what does it do? It’s the ultimate web nightmare!

Yes, this bug is unique and has left almost two thirds of the internet’s servers using SSL encryption vulnerable. Experts also claim that traces of the attack have been found on audit logs dating back to last November. Attacks based on the exploit could date back even further. Many popular websites like Facebook, Dropbox, Yahoo, Gmail, etc have been vulnerable and have recently patched their servers too.

At the very least, Heartbleed exposes your usernames and passwords. It also compromises the session keys that keep you logged into a website, allowing an outsider to pose as you — no passwords required. And it allows attackers to pose as a real website and dupe you into giving up your personal details.

How do I know if my website is vulnerable to the Heartbeat Bug?

If you own a website with SSL there is a good chance that you have been vulnerable. You can make use of some of the free tools available like Geotrust’s SSL Checker to scan your SSL website. If you are vulnerable, you may want to patch your servers as soon as possible before hackers take advantage of this public disclosure.

Where to find more information?

The OpenSSL project has made a statement at https://www.openssl.org/news/secadv_20140407.txt. NCSC-FI published an advisory at https://www.cert.fi/en/reports/2014/vulnerability788210.html. Individual vendors of operating system distributions, affected owners of Internet services, software packages and appliance vendors may also issue their own advisories.

Connect with us

Would you like to know the best tools and business resources we recommend?

Connect with us on social media as we share links to news, vital updates and other cool stuff to make you money and save you money.

Learn with us

Now you can learn how to stay on top of change in the digital world. We run workshops and webinars to help our clients and our community. Most of these are free.

Join up for webinar invites

Concise Digital Site Map