The simple truth about the heartbleed bug

The simple truth about the heartbleed bug
We have heard from many people this week regarding the heartbleed bug.  Most folks are in a panic because they really do not understand what it is and how it can affect them. Some folks think that every site out there might be affected or that maybe there own business websites could be vulnerable. So let me first give you a high level overview of what the heartbleed bug is and then what you need to do about it.
The heartbleed bug has affected some of the largest sites out there.  Some of the sites are:
  • Dropbox
  • Facebook
  • Gmail
  • GoDaddy
  • Google
  • Instagram
  • SoundCloud
  • Tumblr
  • Pinterest
  • Yahoo

What is the heartbleed bug?

This bug affects not only websites, but also other services like Instant Messaging, email, and some private networks. You might notice when you  connect to a website securely that the URL in your address bar is https://web_site_name rather than http://.  This “S” stands for secure http.  This security uses an encryption method known as SSL (Secure Socket Layer).  The heart of this encryption is the “secret key” this is analogous to the magic decoder ring.  It allows you to decrypt the data.  This bug affects a certain brand of this software that allows someone with the skill and malicious intent to steal information in the memory of the affected server.  This memory is of finite size so only the latest information would be available for them to pilfer. For a deeper look at this issue you can go to: heartbleed site

Am I affected?

If you do business or interact with any site that has used the bugged version of SSL, then you are affected.  Some people are asking us if their websites are affected, and this answer will vary with each person.  If you are doing e-commerce, or using SSL on your site, then possibly. (Remember SSL is used if you connect via HTTPS).  I would recommend that you contact your web team and ask them to investigate this for you.

What do I need to do?

The vast majority of people need only to change their passwords on the affected sites.  By now most all of the major players have migrated to a non-affected version of SSL and it is safe to do change the password.  I would recommend that you do a bit of investigation and ensure that the site has upgraded their software.  If you are unsure, you might consider that changing the password on an affected site puts your information in memory on the affected machine and could be subject to prying eyes with a malicious intent.  I would contend that most of the major sites out there have addressed this bug and should no longer be affected.

If you have a website that uses SSL, then you need to contact your web team and have them upgrade the SSL software to an unaffected version.  Keep in mind that this bug has been out there since March of 2012 and was only recently uncovered.

If you have questions feel free to reach out to us.  We will be glad to help.  We can be reached at heartbleed@pingtechgroup.com

 

1 Comment

  1. I wanted to share a link with a more complete listing of affected sites: You can view it here: Mashables list of affected sites

Leave a Reply

Your email address will not be published. Required fields are marked *