What is the Heartbleed bug, and what should you do about it?

Do you use the Internet? Congratulations, your data has been vulnerable for about 2 years and is even more vulnerable now that the Heartbleed bug has been revealled publicly. Until web sites patch this OpenSSL vulnerability that little lock and https that you've been taught will keep your data safe as it travels across the Internet are a lot less effective.

The Heartbleed bug allows hackers to access the memory of any system using OpenSSL encryption. That may include the system's encryption keys that are meant to protect the data. This means that data you shared with many popular and important web sites including your email, bank account, and social media passwords may have been compromised.

Security pundit Bruce Schneier has called the Heartbleed bug "catastrophic." We basically need to assume that practically everything on the Internet has been compromised.

So what can you do to protect your data from the Heartbleed bug?

First, avoid accessing sensitive sites like online banking this week. The publication of this bug makes Internet traffic more vulnerability because while the good guys are rushing to fix their servers there will be many bad guys rushing to exploit the Heartbleed bug before sites are patched. This includes not changing your password on sites that are still vulnerable or you are just putting the new password at risk.

How do you know if a site has patched the Heartbleed bug?

Ideally the site owners themselves will announce when they have patched for the Heartbleed bug, but there are online tests such as this one and this one that allow you check the status of sites you use.

What should I do once a site has been patched for the Heartbleed bug?

James Fallows has published "The 5 Things to Do About the New Heartbleed Bug" on The Atlantic. I strongly agree with his recommendations which include using two-factor authentication, which is something I've recommended multiple times before. Read the full article here. To be clear, you shouldn't change your password until a site is patched.

UPDATE 4/10/2014: Mashable released a list of popular websites and designates which passwords you should change because they were vulnerable to the Heartbleed bug. Read it here.

UPDATED 4/9/2014 to add a link to another Heartbleed vulnerability checker and to greater emphasize that you should not change your password until a site has been patched.

For more information security tips read

Get notified of new posts by email. Type your email address in the box and click the "create subscription" button. My list is completely spam free, and you can opt out at any time.

You can also find Kim Z. Dale on Twitter and Google+ and like Listing Toward Forty on Facebook.

Leave a comment