Security

How to avoid heartburn, err, Heartbleed

As reported on Engadget.

BY SEAN BUCKLEY

Don’t change your password. It’s strange advice to hear when the so-called Heartbleed bugis leaving databases all over the web open and exposed, but it’s applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn’t quite as easy as changing your password. Unlike past exploits, Heartbleed isn’t a database leak or a list of plaintext logins; it’s a flaw in one of the web’s most prevalent security protocols — and until its fixed, updating your login information won’t do a darn thing to protect you. What, then, can you do to protect yourself? Wait, watch and verify.

Updating your password is a must, but only after your favorite services have patched their servers to block the Heartbleed exploit. Fortunately that’s relatively easy — the open-source SSL encryption software the bug affects has already been updated with a new, secure version. Vulnerable sites need only to upgrade to the latest version of Open-SSL to protect their users. Although some companies will notify users that their services have been patched (like Google did), not all of them have or will. That means you need to be aware of which websites were vulnerable to the bug and routinely check them to see if they’re back on track. Don’t worry, that’s not too difficult either. Sites like GitHub and Mashable have already compiled lists of popular websites, services and social networks, noting if they were affected at the time of Heartbleed’s discovery, and in some cases, if they’ve been patched. You can check manually, too: concerned coders and even some companies have made tools available to help you suss out sites that are open to attack. Coder Filippo Valsorda has created aHeartbleed checker and the folks at LastPass have a similar tool — either or both will update you on the status of a site’s security certificate. If it comes up clean, you’re safe to change your password.

Of all the exploits we’ve seen over the past few years, Heartbleed is certainly the biggest nuisance. Not only is it widespread enough to worm its way into some forgotten nook of your digital past, but it’s been lying under our noses for two years. Still, there’s no need to panic: just wait for your favorites services to patch the bug, watch for announcements from sites you might use and verify their security using freely available tools. Once that’s all done, change your password, write it down and breathe easy.