Warning to All SkepticInk Users:
Heartbleed Bug is a Major Security Breach in OpenSSL Encryption
It is extremely important that everyone be wary of any sites requiring user validation (e.g., social media, email, online banking, etc.) for the next few days until it is clear that the released patches to a recently exposed vulnerability in the OpenSSL cryptographic library have been applied.
It is possible that any site using OpenSSL is programmatically vulnerable to a specific sort of exploitation that may allow malicious users to gather enough information to access your accounts—including your online banking institutions.
SkepticInk users should know that Disqus is a known user of OpenSSL who has not updated their SSL Certificate in months; they are very likely to be unsafe.
I will continue to update this, but here is the nuts and bolts.
What In the Hell is Going On?
OpenSSL is a security layer used by many websites that store sensitive user information (e.g., username, password, personal identification, banking information, etc.). Its job is to keep that information protected—to keep your private information, well, private.
It was recently discovered that there is a serious vulnerability in the code that makes OpenSSL work. This vulnerability—called the Heartbleed Bug—actually allows Internet users to access just that important, secret, information it is designed to mask by reading from the memory of these “protected” systems. This is particularly nefarious because pen-testers have found they are able to attack themselves, by exploiting this bug, without leaving a trace of their presence (YIKES!).
By exploiting this bug a malicious user could do more than just read off cookies, emails, usernames, and passwords; they could potentially collect the encryption keys protecting the HTTPS traffic themselves. This would allow an attacker to fake the website or get any information given by users to the website.
Why Does This Matter To Me?
If you’re reading this it’s most likely because you’re on the Internet. If you’re on the Internet you should be concerned, because some estimates place the effect of the Heartbleed Bug at 2 out 3 web servers on the Internet. That means there’s a chance that at least one account you have online that you access could be compromised. And if you’re like a lot of people who use the same passwords at multiple sites, you could end up with multiple compromised accounts and important personal information in the wrong hands.
Skeptic Ink Disqus Users
Disqus appears to have applied the patch and finished any necessary key-swapping. Disqus users should therefore change the passwords to their Disqus accounts immediately.
There does appear to be an inherit flaw in this, though. If you’re not sure whether your email service provider has applied the patch, then you will not want to change your passwords just yet. This is so because most websites require authentication for account changes (including changing your password) via email.
Engadget.com is reporting that Gmail is now safe (and this has been validated by Google here). Yahoo users are now safe. I couldn’t find anything from AOL, other than a potentially unsafe warning from LastPass.
What Should I Do To Protect Myself?
- Keep an eye out for whether the websites and services you use have applied the patch to OpenSSL. If you’re not sure, or you see that the site is still unsafe, you’d be best to not sign into your account.
- Major businesses and organizations (e.g., Google and Yahoo) have been much quicker to respond to this vulnerability, but small businesses and organizations that you may have accounts with do not have the resources of a Google or Yahoo—in fact, they may not even know about a bug in their OpenSSL. You should contact them (especially if it’s a small, local, bank you do online business with) to check if they’re aware of the threat and are acting to resolve it.
- You should begin changing the passwords to sites that are safe. It is also highly recommended that you use a different password for every account, make your passwords long, and use symbols, upper- and lower-case letters, numbers—anything and everything to make a strong password.
Official website for the bug that gives a complete overview of the situation, and information on fixing the bug if you are a website administrator currently using OpenSSL.
You can use LastPass to check to see if the website you have an account with is safe or unsafe. (I recommend doing a little more research, since this may not be completely accurate.)
The Electronic Frontier Foundation tracks all things related to privacy and security. This article gives further information on the Heartbleed Bug and the reason the web needs to implement Perfect Forward Secrecy as a standard.
Further information and explanation of how the Heartbleed Bug works and can affect yo