What is the Heartbleed bug?

15th April 2014

You’ve probably heard by now of the bug called Heartbleed currently affecting half a million websites globally. Yes, it’s a big one but what is it and how does it affect you?

What is affected?

There’s a security software package called OpenSSL that is used by millions of retailers and service providers to create a secure connection between the user and the online service. You’ve probably seen a little padlock symbol in the top-left corner of your browser – that’s the SSL symbol that shows you’re protected. Using SSL, webservers send a secure encryption key to web visitors which protects the personal information going through the server. This can include personal contact details, usernames, passwords and other confidential data.

How does Heartbleed work?

Heartbleed exploits a bug in OpenSSL which allows an attacker to access data stored in the memory of the web server. This could be anything from harmless website content through to sensitive personal details and passwords. The USA’s National Security Agency allegedly dabble in this for spying – but that’s a conversation for the pub as you never know who could be reading our blog.

Are you at risk?

Although the bug was introduced two years ago it’s only been publicised now, so it’s not known exactly how much damage has been done. SSL is such a widely used package that it’s very likely that at least one or two of the services you use will be affected – but that doesn’t mean that your data has been stolen or misused.

In some cases the data won’t have been actively targeted by the cyber criminals, in other cases the service provider (bank, shop, email provider etc) will have updated their software and security certificates and toughened their security. As with all companies, some will be better and faster at protecting your information than others.

What should you do?

Don’t panic – it’s being fixed right now but there are steps you are advised to take. Refrain from logging on to any sites until you’ve checked that a) they’re not affected or b) that they’ve updated their security measures. You can check online tools for a specific site, such as https://lastpass.com/heartbleed. You don’t need to rush and change all your passwords on every site you’ve ever used but it is advisable that you change your passwords once you know a site has been protected against Heartbleed.

And pick a good password! Don’t use the same password for multiple sites. Make it complex and unique, preferably using a combination of numbers, symbols and letters in upper and lower case. Never use any of the common clangers such as ‘password’ or ‘qwerty’ or your own name or the name of the website you’re using such as ‘Barclays123’.

How do I protect the visitors to my website?

You need to check if you’ve been affected so that you can upgrade your SSL if needed. Visit http://heartbleed.com for more information or give us a call if you’re not sure what to do next.

You may want to communicate on your website or via email to your customers to let them know that you are either not affected or that you have taken steps to upgrade your protection.