On April 7th, 2014, media reports announced the discovery of the Heartbleed bug - a secure data vulnerability affecting SSL and HTTPS connections and potentially affecting up to two-thirds (or more) of the Internet. If you haven't already figured it out, that's a huge amount of websites. Chances are you are either directly or indirectly affected by this bug if you securely log into any online services.
What is the Heartbleed Bug?
According to heartbleed.com, the bug is described as follows:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
How does this affect my website?
The good news is, if your site is hosted and/or built by Diagram, you are likely NOT affected. OpenSSL, the software at the heart of the vulnerability, is a program run in a variety of Linux operating systems that handles the secure transmission of data such as usernames, passwords, credit card info, etc. The vast majority of sites built and hosted by Diagram are run on Microsoft Internet Information Server (IIS) and do not use OpenSSL. IIS contains its own encryption handlers which are not affected by this bug. If your site was built on Ektron, EPiServer, Sitecore or any other ASP.NET content management system, you are safe.
If you do maintain a Linux server, chances are you could be affected, and you should take action to remedy the issue. Diagram does maintain several Linux servers, and we have already contacted any clients that might be at risk. Security patches are available to address the problem.
What about other sites I log into?
As mentioned above, it is quite likely you are directly or indirectly affected by this bug via one or more of the many sites we all log into everyday. Again, if the site is Linux based and uses SSL, there's a good chance the vulnerability exists. Of course, you don't have any way of knowing if the site you're logging into is affected, but hopefully the site administrators have been diligent in applying patches.
According to DigitalTrends.com, here are a few sites that were suspected to have been affected but have since been patched:
- Facebook
- Instagram
- Pinterest
- Tumblr
- Twitter
- Google
- Yahoo
- Gmail
- Yahoo Mail
- GoDaddy
- Intuit Turbo Tax
- Dropbox
- Minecraft
- OkCupid
Do any of these look familiar? It should go without saying that the problem is indeed pervasive, and caution should be taken wherever you're inputing private data.
So how do I protect myself?
The best defense against Heartbleed or any other security flaw is always maintaining a regular rotation of usernames and passwords and avoiding using the same usernames and passwords for every site you visit. The more difficult and random you make your credentials, the harder it will be for hackers to exploit.
Wasn't "Heartbleed Bug" the name of a Psychedelic Furs song from the 80's?
No. That was "Heartbreak Beat". I made the same mistake.
