Skip to content
Science, Maths & Technology

What do I need to know about Heartbleed?

Updated Friday 11th April 2014

There's a lot of advice and confusion about the Heartbleed security flaw - what do you need to know? And what do you need to do?

What exactly is Heartbleed, and what does it do?

The heartbleed 'logo' with a question mark Creative commons image Icon The Open University; original logo copyright Heartbleed.com under Creative-Commons license There's a full guide, and technical questions and answers, on the Heartbleed.com website. This part explains the basics:

"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Is this really serious?

This vulnerability about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.

How widespread is the problem?

The OpenSSL bug has compromised over half a million websites from what we're able to tell. And that includes some huge names.

How do I know if a site I use has been affected?

Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide.

We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure; Tumblr yes; Linkedin apparently not. Amazon wasn’t compromised - though Amazon cloud services were. And you'll probably want to think about other online services you use - banking, for example.

It’s basically taking quite some sorting out. There are sites that enable you to test whether a service you use has been compromised by Heartbleed eg Heartbleed Test or Qualys SSL Lab test.

Just enter the url you're concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites).

Do be a little careful with these, too, as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.

If you've not heard from the sites you use, you should actively contact them to ask them:

  • Have you done the Heartbleed-related security audit?
  • Have you been compromised?
  • Have you patched any vulnerabilities?
  • Should I change my password(/s) now?

Don't stop asking until you get a definitive answer.

Do I need to change all my passwords?

Ordinary internet users should change their passwords on sites affected but generally only after the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected).

But shouldn't I change my passwords straight away?

Some news sites are advising people to change all their passwords straight away. This could lead you to assume your new credentials are safe. But if the site hasn't yet been patched, they won't be. There should also be no immediate need to change passwords on sites which are otherwise secure and have not been compromised by the Heartbleed bug.

Before you change your passwords, check with the company or a trusted third party that the system has been secured.

How long is this likely to take?

Now the news on the bug is out credible commercial entities are keen to plug this enormous security hole in double quick time and many have already done so.

So waiting until each service has been patched is the risk-free approach?

There isn't a completely risk-free approach. If someone has already used the vulnerability to obtain your passwords, they could choose to use those for nefarious ends before the website in question updates their systems.

How can I protect against that?

In the window between now and the site being patched, you might want to think about changing passwords, now, temporarily and then changing again once the fix is done.

This sounds quite complicated

None of this is really straightforward, unfortunately.

What should I consider when changing my password?

All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.

If a service offers several layers of authentication, such as PIN codes, passwords or tokens, use them for stronger security.

This is going to mean a lot of passwords, all of them new, to remember…

An incident like this can make people realise how many passwords they are actually using, so consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you. Do check with the password manager vendor that their systems have been patched against Heartbleed vulnerabilities.

Is anyone really likely to have exploited Heartbleed?

Since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ.

So, you're saying…

Yes, just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services. It's about as serious as it gets.

 

For further information, take a look at our frequently asked questions which may give you the support you need.

Have a question?

Other content you may like

What is a password manager - and should I be using one? Copyright free image Icon Copyright free: stevepb article icon

Science, Maths & Technology 

What is a password manager - and should I be using one?

Password managers can make keeping track of your online security a little easier. But are the downsides to using them?

Article
Highlights and lowlights of 2014, a golden year for cybercrime Creative commons image Icon Ethan Prater under CC-BY-2.0 licence under Creative-Commons license article icon

Science, Maths & Technology 

Highlights and lowlights of 2014, a golden year for cybercrime

In 2014 we learnt how powerful hackers and cyber criminals are, will this continue in to 2015? Andrew Smith takes a look back at the year of cybercrime. 

Article
Effective ways of displaying information Copyrighted image Icon Copyright: Used with permission free course icon Level 1 icon

Science, Maths & Technology 

Effective ways of displaying information

The power of graphics should not be underestimated. They can express information clearly and simply. This free course, Effective ways of displaying information, will help you to ------ which style of graphic to use in different situations.

Free course
6 hrs
The Syntax of the 'for' Loop Copyright free image Icon Copyright free: Startupstockphotos via Pixabay article icon

Science, Maths & Technology 

The Syntax of the 'for' Loop

Learn how a for loop is structured and how to write them.

Article
Simple Conditional Statements Copyrighted image Icon Copyright: Dreamstime article icon

Science, Maths & Technology 

Simple Conditional Statements

Learn how to use an if statement in order to carry out different courses of action based on differing conditions.

Article
The Digital World Copyrighted image Icon Copyright: © Binu Omanakkuttan | Dreamstime.com activity icon

Science, Maths & Technology 

The Digital World

How has the digital world changed?

Activity
Simple Coding - Functions Copyrighted image Icon Copyright: © Nikolaev | Dreamstime.com activity icon

Science, Maths & Technology 

Simple Coding - Functions

Learn about functions in Python programming language. 

Activity
Cybercrime: The Carderplanet heist Creative commons image Icon The Open University under Creative Commons BY-NC-SA 4.0 license video icon

Science, Maths & Technology 

Cybercrime: The Carderplanet heist

Founded in 2001, Carderplanet was a Ukrainian website that sold stolen credit cards. It was the first of its kind but what was the secret of its success?

Video
A dead phone may stop you entering the US – here's how to keep it alive on the move Creative commons image Icon Martin Maciaszek under CC BY-NC-SA 2.0 licence under Creative-Commons license article icon

Science, Maths & Technology 

A dead phone may stop you entering the US – here's how to keep it alive on the move

What does the new security advice from US customs officials mean for passengers flying to the US with electronic devices? 

Article