Dealing with Heartbleed: What You Need to Know

| Analysis

Heartbleed is a security flaw in OpenSSL, which is the system used to ensure the security of nearly half the websites on the Internet. The flaw gives hackers the ability to gain the security keys that keep the information passing between your Web browser and online servers encrypted, which could let them decrypt information you're expecting to remain secure -- including user names, passwords, and credit card numbers -- and even pose as legit servers. That sounds pretty ominous, so we sorted out what that means for you.

Heartbleed potentially exposes server encryption keysHeartbleed potentially exposes server encryption keys

What is Heartbleed?

Heartbleed is a code flaw in OpenSSL's hearbeat function that lets hackers trick a server into handing over its private encryption keys. With those keys in hand, hackers can decrypt information that's passing between servers and user's computers without any detection. They can also potentially use those keys to set up their own man in the middle server that appears as if its a legit version of the site you're trying to reach, and that would let them collect as much information as they want.

Imagine, for example, a hacker getting ahold of the encryption keys for your bank. They could then intercept and decrypt your secure transactions, get your credit card and bank account numbers, account login and password, and more.

Don't have time to read all of the background stuff on OpenSSL and heartbleed, but want to know what to do to protect yourself? Jump ahead, we don't mind.

Comments

Bosco (Brad Hutchings)

It’s a good thing that Google’s known strategy of selling out their customers gave them the incentive to identify this problem!

gnasher729

Has anyone ever claimed that Google is selling out their customers? The problem is that end users are not Google’s customer, but the product.

Lee Dronick

How does iOS 7 deal with the certificates? Do we need to do anything on those devices to protect ourselves?

John Dingler, artist

Hi Jeff,
Safari user. Thanks.

John Dingler, artist

By the way, thanks for this clear step-by-step instruction. But I am sure that committed trespassers will figure out ways to skirt the roadblock to their shenanigans.

Paul Goodwin

Just for my education, in the vulnerable/not vulnerable site list, what does it mean when it says “No SSL”? It was obvious that it wasn’t vulnerable. Do they have their own encryption technology?

Macfox

Thanks Jeff for this update. I’m checking my browsers now. This is just one of the great reasons for TMO: you are all great!

wab95

Jeff:

Just wanted to say thank you for posting this excellent analysis of what heartbeat and Heartbleed are, are not, and what we can do about it. I’ve taken the liberty of sharing this page with a number of friends and family who’ve been sending me both articles on the phenomenon (some not so well informed or accurate) as well as requests for how to respond to it.

Knowledge is a powerful antidote to fear.

Bart B

Great article Jeff - it’s not at all easy to explain this stuff in a way that’s clear to regular folks, while still being accurate. The line between over simplification and information overload can be very hard to find, but I think this is pretty darn close to perfect smile

Log-in to comment