How to stay safe from the Heartbleed Bug

Heartbleed

The impact of the 'Heartbleed' vulnerability is potentially very far-reaching. OpenSSL is widely-used to secure Internet-based communications, including web, e-mail, IM (instant messaging) and VPN (virtual private networks). If exploited, this vulnerability allows an attacker to read the memory of vulnerable systems and intercept sensitive information – including usernames and passwords.

The responsibility for applying the fix to address this vulnerability lies with the providers of online services, network appliances and products that make use of the OpenSSL library. But what should the rest of us do?

First of all, although it may sound a bit bizarre, don't simply change your passwords automatically. You should only do this once you know that an online provider has patched the OpenSSL library and regenerated its digital certificates.

If you change your password before the provider does this, your new password could be compromised too. So it's essential to first check that providers of the sites you use (this includes banks, online stores, social networks, etc.) have applied the fix. If they have, you should change your password. If they haven't, you need to wait until you know that they have.

Checklist

So here's a quick check-list of what to do.

1. Check if the site of an online provider you use is vulnerable now, using this tool http://filippo.io/Heartbleed/.

2. Check to see if it was vulnerable before by looking through this list of sites. Or you could contact the provider to ask them directly.

You might wonder why you should care if it was vulnerable before - isn't it just important that it's fixed now? But remember that if it was vulnerable before, your personal data could have been stolen before the provider applied the fix. So you need to know both if it's vulnerable or if it *was* vulnerable.

3. If the site was vulnerable, but has now been fixed, change the password you use to access the site. This should be done after the site has been fixed - otherwise your new password can be compromised too. If you have been using the same password on other sites (which is never a good idea!), make sure you also change your password on those sites.

4. Make sure the site is using a new security certificate - one issued on 8 April or later. You can find an explanation of how to do this here http://blog.kaspersky.com/heartbleed-howto/.

David Emm

David Emm is Principal Security Researcher at Kaspersky Lab, a provider of security and threat management solutions. He has been with Kaspersky Lab since 2004 and is a member of the company’s Global Research and Analysis Team. He has over 11 years of working experience.