By now, you've probably heard at least something about Heartbleed, a fairly widespread security bug in the way some websites protect user data. There's a lot of information floating around out there, so we wanted to reach out to our friends and partners to get them the critical facts, and hopefully clear a few things up.
So, here are a few common questions and answers about Heartbleed:
What is Heartbleed?
We'll keep it simple: Heartbleed is the name the tech community has given a bug that was just discovered in certain versions of OpenSSL, a protocol that some websites use to encrypt sensitive data such as usernames, passwords, credit card numbers, etc. This bug has been around for the last two years, meaning that sites using affected versions of OpenSSL have been vulnerable during that time.
Which websites have been affected?
OpenSSL is one--but not the only--encryption protocol some websites use to secure their data. 3n1media, for instance, uses a different security protocol for the websites we host, so they were not affected by Heartbleed. Furthermore, not all websites using OpenSSL were affected, since only certain versions were vulnerable. Security giant Trend Micro even reports that Heartbleed poses problems for only 17% of the websites using OpenSSL.
Still, a number of widely-used web services have been affected, including Box, Dropbox, Gmail, Facebook, and Netflix. Here's a more extensive list, but keep in mind that none of the lists being published by news organizations is completely exhaustive. If you have specific questions about a website or online service, we recommend reaching out to the vendor responsible, or consulting with a trusted technology partner, like 3n1media.
Should I change my passwords?
The short answer is yes. We've always recommended that users change their passwords regularly, especially for sites that store sensitive data. That way, you're always prepared for vulnerabilities like Heartbleed. Stolen passwords will do criminals no good if they've been changed.
Still, Heartbleed is a special case. For affected websites, it matters when you change your passwords. Vendors and site operators, if they have their users' best interest in mind, are currently patching their systems to eliminate the Heartbleed bug. Once the bug has been fixed, users will need to change their passwords in the event that they were compromised before the fix (this is unlikely, but--better safe than sorry). So, be on the lookout for updates from vendors, and make sure to change your passwords when you see them. If you're not sure about a specific vendor, either consult with a technology partner, or contact the vendor directly.
As always, feel free to reach out to us if you have any questions about Heartbleed. As IT experts, we've been keeping a close eye on the situation. While it doesn't warrant mass hysteria, it is a serious security problem that requires vigilance and smart, timely action.