Seven things you need to know about the Heartbleed Bug

Everything you need to know about the Heartbleed Bug
Time to reset all your passwords

You might have thought that little padlock in your browser address bar meant you were safe. That your web connection was encrypted, and you could securely provide user names, passwords, credit card numbers, and more.

But it's time to think again.

The recently-discovered Heartbleed bug could allow attackers to read the memory of an apparently protected web server, potentially giving them access to user names, passwords, credit card details, and anything else you might have been doing at that site.

And if you think that's bad, Heartbleed has been leaving your confidential data open to attack for more than two years. What does this mean? Here's everything you need to know.

1. What is Heartbleed?

It's a serious vulnerability in OpenSSL, a popular library used to encrypt and secure various web, email and other connections.

Essentially, by passing an incorrect value to an OpenSSL extension, an attacker can read up to 64KB of the host's memory. The process can be repeated to read more RAM, exposing names, passwords, content and any other data: you have no protection at all.

2. How widespread is it?

The good news: this is not a fundamental problem with the core SSL/TLS technology. It's down to a specific bug in one implementation, OpenSSL release 1.0.1, released March 14, 2012, which was fixed in OpenSSL 1.0.1g on April 7 2014.

The bad news: OpenSSL is the standard encryption library used by Apache and nginx, the two most commonly-used web servers around, responsible for protecting more than 70% of the web's busiest sites.

This isn't just a matter where you can assume you're safe on a big-name site, then: most companies will have been vulnerable.

3. Has anyone used Heartbleed in an attack?

The exploit was discovered independently by researchers at Google and the Finnish security firm Codenomicon, not by monitoring hacker activity, so there's no evidence that it's been utilised in real life.

The problem is that the attack leaves no footprint, though, no trace in the logs, so there's no way to be sure. You should assume that anything you think you've communicated securely, in the last two years, might have been compromised.

4. Are websites safe now?

Maybe. The bug was fixed in OpenSSL 1.0.1g, released on April 7. But that doesn't mean too much, because websites must install the update first, and reboot (or restart several services), which means it's probably not going to happen automatically.

Big sites, or any which are actively managed, should be fixed by now. But others may remain vulnerable for much, much longer.

5. Can I check a site for the Heartbleed bug?

Yes. There's a specific Heartbleed test page, and Qualys has added Heartbleed checking to its SSL Server Test. In both cases, just enter the host name of any server you're worried about, click the "Go"/ "Submit" button and wait for a verdict.

Beware, though, with the current fuss both pages are getting a lot of traffic, and we found they occasionally refused us access. If you have problems, try again later.

6. How can I protect my own site?

If you have a website of your own, and testing shows its vulnerable, then you need to get it fixed. Now.

If you have a server which you manage yourself then you should upgrade to OpenSSL version 1.0.1g.

This may not be too difficult. For example, with WHM/ cPanel you might use the "Upgrade to Latest Version option, then choose "Restart Services" > "HTTP Server (Apache)", clicking "Force a reinstall even if the system is up to date". Whatever you've done, run the Heartbleed test on your site afterwards to confirm there's a change.

If your web host looks after that kind of thing, though, you'll need to contact them for advice. Some hosts are updating servers as we write (April 9), others aren't starting until tomorrow, some may leave it entirely up to the customer. Talk to them and find out.

7. What should I do as an internet user?

Change all your passwords.

Yes, we know it's a hassle. But Heartbleed means that all your login credentials may have been exposed to the outside world. Sure, you "might" be safe, but why take the risk? Change them now.

In addition, think twice before using any apparently secure connection for the next few days, unless testing shows the company is no longer vulnerable. We're currently in a very dangerous time, as Heartbleed has now been exposed to those who want to exploit it before all the fixes are in place: it's best to be very careful.

Mike Williams
Lead security reviewer

Mike is a lead security reviewer at Future, where he stress-tests VPNs, antivirus and more to find out which services are sure to keep you safe, and which are best avoided. Mike began his career as a lead software developer in the engineering world, where his creations were used by big-name companies from Rolls Royce to British Nuclear Fuels and British Aerospace. The early PC viruses caught Mike's attention, and he developed an interest in analyzing malware, and learning the low-level technical details of how Windows and network security work under the hood.