If you haven’t heard about Heartbleed yet, please take a few minutes to read. And if you have heard about it, but aren’t convinced of the severity of it, you also need to read.
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.” (from Heartbleed.com)
This means that someone could get into your server and grab bits of information without ever causing a blip on the radar, no matter how closely the server’s being monitored. Information like your password (which is bad enough) or the public and secret keys used to encrypt everything (which is much worse.)
The Heartbleed.com site gives you a lot of information – really technical information. From the iThemes.com blog, I found this passage which explains the impact of this bug in more common language.
“First, the bug was introduced into OpenSSL about two years ago. No one knows for sure how long anyone, including the bad guys, have known about it according totheverge.com.
Second, many websites you connect to every day including Yahoo, GitHub and others currently use or recently used vulnerable versions of OpenSSL. According to the statistical site Buildwith.com, OpenSSL is used in as many as 9% of the top web sites and, by some estimates, as many as two out of three webservers rely on OpenSSL to encrypt data.
Third, when you access your website through your host’s control panel or use a username and/or password on your site that has been used elsewhere, an attacker may already have your data.
In other words, this one is bad. Anything you’ve sent to any website over the past two years could already be in an attacker’s hand.” (Source: ithemes.com)
This is one of those things that everyone needs to worry about, and not just with their own websites. More especially, with the websites you use everyday. Every website that you login into uses some version of SSL encryption to send your login information. If one of those websites uses or used a vulnerable version if OpenSSL, your password could have been exposed to hackers. Which also makes any other site where you use that password vulnerable, even if it never used OpenSSL because now the bad guys have your password.
So how do you know if its safe?
This is what I’m going to be doing:
- Before I log into any site, especially banking and financial sites, I’m going to check that site URL on this website to see if its vulnerable – http://filippo.io/
- Change passwords for EVERYTHING using new strong passwords. Use the tips in this post to help you create a strong password.
- Checking my website hosting company to make sure they’ve patched OpenSSL or are using something else. If your website is hosted with me, I’ll follow up with you to let you know that this has been completed.
- Update WordPress. Version 3.8.2 was released yesterday, which is a security update to fix some bugs. If you have automatic updates turned on (which the the default) then your site may already be updated. For my maintenance customers, I will be checking each site today to make sure it’s been updated.
Remember to ALWAYS do a complete backup of your site before you upgrade the software, just in case there’s an issue during the process. If you need help with the backup/upgrade, I’m running a special through the end of next week (April 18, 2014) for a one-time backup/upgrade/backup of your WordPress website for only $35. Send me an email and we’ll can talk about it and get you on the schedule.
For more information about Heartbleed, check out these sources…
2014/04/heartbleed-bug- exposes-passwords-web-site- encryption-keys/
technology/2014/04/what-you- need-to-know-about-heartbleed- the-new-security-bug-scaring- the-internet/360366/
- Top 1000 site test for Heartbleed vulnerability. Note: these were tested on April 8, 2014, so any listed as vulnerable may have been fixed by now. Check sites using this tool if you’re unsure.