Categories

Security Threat

Users affected the most as Heartbleed takes center stage

[Update April 14, 2014 06:00 AM] We updated the list of services at the end of this post to include recently discovered tools and suggestions by some of our readers.

Original post:

When someone in your family who’s probably not as computer and internet savvy as you starts asking you about Heartbleed, you know that this online threat has hit mainstream.

Heartbleed, which is officially referenced as CVE-2014-0160, is a serious weakness or bug on websites that are using the OpenSSL cryptographic protocols.

If hackers take advantage of this, they can retrieve encryption keys that can be used to decrypt sensitive information that users would normally protect or keep private, such as email exchanges, IM chat messages, usernames and passwords and credit card numbers.

This bug has reportedly been around for two years, but was only recently found and made public by a Google Security researcher and Codenomicon, the company behind Heartbleed.com, an informative FAQ site devoted to educating and addressing major queries from curious and concerned netizens.

It may seem that this flaw can only be exploited from the server side; however, nothing can be further from the truth.

“Vulnerable OpenSSL implementations on the client side can be attacked using malicious servers to extract passwords and cryptographic keys ,” A security professional with the SANS Institute told The Register. It’s an attack that would probably yield handy amounts of data if deployed against users of public Wi-Fi hotspots, for example.”

Like online providers who are affected by Heartbleed, internet users are also asked to mitigate possible threats brought about by the bug before it’s too late.

We have below a handy list of services you may find useful to protect your system and your privacy:

  • Heartbleed Test. This is a website you can use to check if the domain you’re visiting is vulnerable to the Heartbleed bug.
  • LastPass Heartbleed Checker. Another site checker similar to Heartbleed Test, this time brought to us by the makers of LastPass, a popular password management software.
  • LastPass. If you, dear Reader, would like to update passwords of all your accounts from online providers that found were vulnerable to Heartbleed, LastPass (and others like it) can make password generation and remembering a breeze.
  • Chromebleed. This is a browser extension for Chrome users that is capable of displaying warnings to users if the site they visited is affected by Heartbleed. Majority of the reviewers, however, express their disappointment for the app’s intrusiveness. If this is a concern, you may opt to just use the first two checkers I mentioned above.
  • Janet Certificate Service. This is a service that replaces certificates of websites owned by universities, colleges, and research organizations affected by the bug.
  • Alternatives to OpenSSL. Users and online service providers may also consider using alternative cryptographic protocols. We can’t, however, vouch for their effectiveness as we haven’t tested them ourselves. Thanks to commenter Matt Howard for the suggestion.
  • Heartbleed Detector. Our friends at Lookout created this smartphone app to let users know if their mobile OS is vulnerable to Heartbleed or not. You can read more about it in their blog post here.

If you have other tools or site sources in mind that you think we should include in the list, please leave us a comment.


Subscribe to our YouTube Channel