Staunching The Heartbleed Flow
It’s been a busy week working on the web with all of the heart attacks going on across the web. In case you were living under a rock for the last 5 days I’ll go through a quick recap for you.
The issue that popped up this weekend affected a absolutely massive portion of the web, some reports saying as much as 65% of all websites had the potential to be affected. When you’re talking about billions of websites and trillions of pages, it’s a huge amount of the web. Just to be clear about the issue, the Heartbeat bug affected sites that were using a specific security certificate from OpenSSL – the community driven option to paying for a security certificate for your website.
Without going into too much technical jargon and being confusing, the best description I found regarding the bug was this description of events.
The top portion of the exchange is how a secure connection works, it’s a very simplified version of events between your computer and the webserver you’ve connected to. The Heartbleed version of events that comprises the bottom portion of the image is where the exploit got it’s name. The process is the same, but via what’s called an overflow error a malicious user can request a longer string of information back related to your security code, called an overflow error.
The issue was found, corrected and there are multiple steps you can take if you feel that your personal web security was in question. CNet has a running list of sites which have been patched against the Heartbleed bug and if you should potentially change your passwords on those services. Have a look through their list and follow the proposed directions to minimize any potential security issues you may have in the future.
image credit : vox.com