By now just about everyone on the planet has heard about the Heartbleed bug that affects a key component present in most Linux operating systems, OpenSSL. It is a serious matter, but all the shouting from the media is obscuring appropriate advice. Because I've received an unusual number of questions about this issue from clients, I've decided to post my best advice.
Caveat: I'm neither a security nor Linux expert. If you have serious concerns, consult another source.
The big problem with the OpenSSL vulnerability is that its exploits have lain in hiding for a long time. It is thus very difficult to assess what sort of damage might have been done. The only people who can tell you that are those with whom you do business and you should ask them, within reason. I'll explain that in a moment.
Let's turn this into a Q&A, which might be more helpful.
What is SSL?
SSL stands for Secure Sockets Layer. It is a protocol for moving information across the Web in an encrypted fashion. It forms the basis for all secure transactions on the Internet.
What is Heartbleed?
Heartbleed is the name of a bug found in the OpenSSL software. This bug allows a third party to obtain the keys used for the encryption/decryption of the data being transmitted and thus allows the third party to eavesdrop on such transmission. See The Heartbeat Bug for an excellent explanation.
Is the SSL Protocol Compromised?
No. The OpenSSL software itself has a bug, which allowed it to be exploited by the bad guys. SSL itself is fine. Systems that do not use OpenSSL were not affected in any way.
How Do I Know if a Service I Use is Compromised?
There is no way to tell except to ask.
If you're like me, you've got dozens of sets of login credentials to Web sites far and wide. But here's the thing - the vast majority of those sites don't store vital information about you. For example, I participate in a number of discussion groups. None of these know anything about me that I don't already make generally public. For the most part, they don't have a credit card number.
Check with your financial institutions first, then with any business that has your social security number, then with any health care or insurance provider. Then you can do the rest. Take notes.
Should I Just Change All My Passwords Now?
No. This is important. Do not change your password until you have confirmed that the particular site is no longer vulnerable. If the site remains vulnerable and you provide a new password, then you may also be providing it to the bad guys.
This is the big part of the panic that I think the media is stirring up by suggesting that you need to change all your passwords right away. Take your time to assess which accounts are most important, inquire with the company or look to their Web sites for announcements, and only then change your password once you know the site is safe.
Should I Change All My Passwords Eventually?
Yeah, it's a real pain. But yes, it's a good idea. (Buy a password manager.)
What About My Credit Card Numbers?
Check with your issuer first for their best advice, then with any online business to whom you have provided the number. But, like passwords, don't make a change until you know all the businesses who have a card number on file are once again safe.
Is My PC or Tablet or Phone Compromised?
No. The bug resides on servers and the exploit thus resides on servers.
Should I Change the Security Software on my PC?
No. Heartbleed only lives on Linux servers running OpenSSL.
Are All Servers Affected?
No. Windows servers use Microsoft's implementation of the SSL protocol, not OpenSSL. OpenSSL runs on Linux servers.
I notice that, as usual, Microsoft is getting very little credit in the press for having a secure solution. To the best of my knowledge, bolstered with checks through my network, Heartbleed has no affect on Windows servers. (See Microsoft's blog statement.)
This is thus the first question you can ask when inquiring with one of your services. Are they running Linux or Windows servers? If the answer is Windows, you're safe and don't need to do a thing.
Is the Web Site You Built for Me Compromised?
I don't want to go into too much detail about why my answer is no because my Client Newsletter is a public document and I don't discuss the security of the systems I build in public. If my "no" is not good enough for you, by all means please inquire.
For those of you with stores, neither PayPal nor E-Junkie is affected. You do not need to change your passwords to those services and the transactions conducted by your customers through those services were and continue to be secure.
Has the Bug in OpenSSL Been Fixed?
Yes. The production version of the code was quickly fixed and made available. A beta version, which most businesses would not use in production, will be fixed soon.
If the Fix Has Been Made, Why Is There Still a Problem?
I promise you that any business who finds that they need to deal with this is dealing with it as quickly as they possibly can. Why? Because it probably affects both the systems (Web sites) you use and many of the internal systems they use.
However, any time a key component in an operating system is changed, it must go through extensive testing. This is much more critical for a security component, and critical again for an open source program. A mistake in an area like this could make the problem worse and seriously damage a business' reputation. While everyone was blindsided by Heartbleed and no one but the bad guys are to blame, imagine what a nightmare it would be for a company that got the fix wrong.
Is This Problem Limited to the U.S.?
Nope. It's everywhere.
Is the U.S. Government Exploiting Heartbleed?
I don't know. It seems to be the case that the NSA was collecting information without warrants. Put it this way - if I was a spy agency and I found a tool, would I use it? Probably. The NSA has denied it.
Lots of things are scary. Don't let fear or panic interfere with your cool-headed analysis of your own situation followed by a methodical approach to confirming the security of your most personal information.