README


home
@j4cob

Heartbleed vulnerability: advice for regular users

08 Apr 2014

There was a very important vulnerability announced yesterday in OpenSSL, which powers a significant fraction of the Internet. Thousands of security engineers from across the web were up all night releasing patched servers, and it’s still not done yet. For instance, as of this morning, Yahoo was still vulnerable.

Usually when there’s a bug like this, it means the NSA, or your ISP, or other spies can intercept and decrypt your communications. This one is much worse. It allows anyone on the Internet to send a request to the affected site and extract private information from that site. There’s also no way to tell how broadly this was being exploited before it was reported. But we can be confident that in the last 24 hours it’s been exploited broadly.

Hackers are most likely to get a list of cookies sent to a site by recent users. Since cookies are what Facebook, Twitter, GMail, etc. use to give you access to your account, that means that any attackers who got your cookies can also log into your account.

This is a very unusual bug, and the advice is unusual. Since attackers can only get cookies that were recently sent to a given site, you can actually make yourself safer by staying off the net for a few days until everything’s fully patched.

That’s not really practical, of course. If you can’t stay offline, you can limit your exposure by clearing all your browser cookies, then logging in again to only the sites you really need to use.

You should immediately change your password on all the sites that you consider critical. Typically that will invalidate any copies of your cookies still held by hackers.

You should change password again for each site once it announces that it is conclusively safe. Then, to be really safe, you should change passwords even on the sites you consider non-critical. Hackers will sometimes use information from unimportant sites to worm their way into other accounts.

Does all this password changing sound like a hassle? It is. Now would be a really really good time to start using a password manager to automatically generate good passwords and securely store them. I use LastPassDashlane is also good. Both are free.

Source material: http://heartbleed.com/

Highly technical: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

A little more accessible: http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html

Mainstream-ish press: http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerability-revealed-7000028166/