There is what-has-been-described-as a catastrophic bug affecting hundreds of thousands of websites worldwide. The bug, first publicly reported on April 7, has been labelled ‘Heartbleed’ and occurs within the software used to create a secure connection whenever a user accesses a website such as an online bank, a shop, an email provider and so on. The software is called OpenSSL and Heartbleed allows third parties to read the data that should be travelling through the secure connection: data that may include account names and passwords, addresses, credit card details and so on.
High profile sites that were affected include Yahoo (and its services including Flickr), OkCupid, Github, LastPass and Dropbox.
Websites wanting to remove the vulnerability have to do two things:
- Remove the bug in the OpenSSL software.
- Regenerate their SSL certificate.
Many websites have removed the bug but the second step is taking longer, not least because the certificate-issuing authorities are alleged to have been overwhelmed with the load.
How can I check a website for Heartbleed?
To check whether a website that you use has the vulnerability, you can use two tools:
- This tool by Filippo Valsorda only checks for the presence of the bug; it does not check for whether the website has regenerated its SSL certificate.
- This tool by LastPass is better, because it does check both steps.
Both tools allow you to enter the address of a web server then perform a check. As of this moment, for example, running a check on Dropbox returns the information that the bug has been removed but that the SSL certificate has not yet been regenerated.
Although the typical advice after a security situation like this is to change your password on each affected site, in this instance it is important that you wait until you have had notification from the website in question that it has done the two steps mentioned above to re-secure its site. Only then should you change the password.
As ever, follow some rules on password creation (the most important of which is not to reuse the same password on multiple websites).
(Heartbleed icon by Codenomicon.)