[Help Request] Heartbleed

[Quiver]

Yes, tagging my topic titles with square brackets is a thing I do now, tagging topic titles with square brackets is cool.

Okay, so... I joke because I get nervous. Sorry.

Anyone who knows me knows that I'm a bit...er...anxious. I get worried over lots of stuff very easily, particularly stuff that I don't understand, especially when it's to do with modern technology- I'm something of a Luddite. Saying that...

Well, I read something the other day about a computer problem called Heartbleed? And it can access your passwords or something?

The or something part is my problem. I don't understand this thing, at all, and that makes me worried- very worried. So I thought I'd throw it out here, to try and get it answered by some members of the forum and set my mind at rest.

What is Heartbleed and how does it work, in terms someone who doesn't understand computers could understand?

All I use my computer for is websites and forums (no eBay or commercial uses), so is it necessary for me to change my passwords? Do. I need to change my passwords for everything (ie: one affected site means all of them are contaminated) or just for the web forums in question?

[Leonardus]

Hmm well I'm no tech master but I've been searching a little on Google and I asked one of my friends who's studying computer systems and from what I have understood its basically a bug/exploit (It's not meant to be there!) that allows someone to steal protected information.

 

I'm not exactly quite sure what you can steal from sites vulnerable to heart bleed but passwords, usernames and private messages etc, can be stolen. Luckily some fixes have been going out, and most websites should be patching the problem. As for what sites are vulnerable, I cant exactly give you a list but unless you use the same password for all websites then you should be safe, if your really worried then I suppose changing your passwords cant hurt.

 

As for how the thing works well, when your computer asks for information, it sends a message to the server asking it to return data to check if the server is there, normally this is harmless (say it returns the value of 123) but when you use the heart bleed, your computer sends a message and the server responds with a bunch of information it shouldn't be sending (as an example say it returns 123server admin pass:happyface,and other secret stuff on the server)and so in this way somebody can steal all sorts of useful information on the internet.

 

Hopefully this helps you out Quiver. 

Edited April 13, 2014 by Leonardus

[Kurkistan]

A fair summary, Leo.

 

If you want to get deeper into it, Quiver, you could read this blog post. Of particular note is that it links to a site that lets you very easily test if a site is currently vulnerable—the server for 17s isn't set up properly to test one way or another, just so you know.

 

There's also a handy table over on Mashable.

[Eerongal]

Ok, so, I'm an IT person by trade, so I suppose I'm considered a 'professional' when it comes to this sort of stuff, but i'll start out with this:

 

Long story short - There's nothing you personally can do about it. This is all based on an SSL vulnerability with a particular SSL version that's unfortunately quite common on the internet. The only way to be protected against it is to not use any site that has this particular version of SSL.

 

That being said, ALL major sites and their web servers are likely to have updated by now.

 

Leonardus essentially has the right of it, in how it happens at a high level. Essentially, the problem lies within the way the SSL protocol pings back and forth to make sure the connection is still alive. The way it works goes something like this:

 

Client: "Server, are you alive? If so, reply 123, 3 characters"

Server: "123"

 

 

The problem here is the second part in the client request, where it asks for 3 characters. If this value is inflated, the SSL protocol instead replies with stuff randomly in memory of the server. This could range from anything to what pages a random user visited, to someone's logon information. So in the instance of the exploit, it would look something like this:

 

Client "Server, are you alive? If so, reply 123, 100 characters."

Server "123; User1 connected on port 10; user2 logged in, username [email protected]:password letm3in; user3 log"

 

Granted, it's not as simple as above, and your username/password probably won't be exactly in plain readable text, but it gives someone a starting point to try to get your information.

 

The only reason you would need to change your password, is if your password got compromised. If you are afraid this has happened, you can definitely do that, but i wouldn't say you're "required" to do it. If you fear for your security, however, many big sites such as google, facebook, twitter, etc. allow you to do two-factor authentication. I highly recommend this if you fear for this sort of thing.

 

What two-factor authentication does is it requires you to, after you put in your password, plug in a token on a following screen that is usually tied to an authenticator of some sort. Most sites let you set this up with your cell phone, either through an app or through text messages. So this sort of "second" password is a random string of characters that will change every 30 seconds to a minute or so. What this does is make sure that, even if someone has your password, they ALSO need your cellphone/authenticator to access your account. This provides a second, very strong layer of security, and is generally of very minor inconvenience to yourself.

[Argent]

Yea, I still like XKCD's explanation better. Because potato.

 

My way of dealing with Heartbleed was to finally register for LastPass. Since I have pretty much all of my passwords saved in my Google account, I could import those into LastPass and let it tell me which ones are associated with websites that were vulnerable to Heartbleed and could've been compromised. I updated those, and have (slowly) been working my way through the remaining few hundred websites I have accounts for...

[lyht]

I run business websites and servers, and here is my two bits:

 

Heartbleed made it possible for hackers to possibly discover your username and passwords on many of the websites out there in the world. However, it is not all connected. They would have to go dig into a single server and do a bunch of work to figure out some of the passwords there. If they happened to figure out your password on one site, it doesn't tell them anything about any other site you use. (Even if you use the same username and password on multiple systems, they have no information about what other sites you use)

 

AND, once the problem was found, it was fixed by many sites in a few days. So most of the sites you would go to are no longer at risk. (Kirkistan listed a link to a site that will test sites for the problem. Or do a search for "test heartbleed")

 

And here is how it affects any of us. Hackers are not going after every site on the internet, they dont have time. They are going to go after valuable sites first. So, if you use a Banking site, or PayPal, or something else with money, or if you have a site that has personal information you are worried about, change the passwords there. Other sites like this one that are just for fun are not likely at risk. And even if they did get hacked, what is someone going to do, post a bunch of rude posts in my name?

 

Anyway, doesn't hurt to change passwords, just to be safe.