What's the fuss about?

What's the fuss about?

Heartbleed opensslHeartbleed is a major security flaw that affects over 50% of the Internets secure web sites.

It relates to the security protection for web sites such as online banking, emails, Facebook, Gmail, Dropbox and other online services.

The security flaw allows an attacker to retrieve secure information that is stored within a server’s memory, like your username and password for your online banking. They can then use this information to access your data or accounts.

Open SSL and Heartbleed (the technical bit)

OpenSSL is a cryptographic software library that is used on over 50% of all websites as well as other services such as email, instant messaging and virtual private networks. It is used to secure data transmitted over the internet and stops personal user information from being read by a 3rd party.

Heartbleed is the name of the extension within OpenSSL that this security flaw was found in. When exploited it allows an attacker to gain access to the affected server’s memory and retrieve the contents stored within, i.e. your personal information.

What has Heartbleed leaked?

Heartbleed can allow an attacker to gather four different categories of information:

  1. Primary key material, this holds all the encryption keys themselves allowing the attacker to decrypt all the information that has been intercepted.
  2. Secondary key material, this holds a user’s credentials (usernames and passwords).
  3. Protected content, this is the actual content that is handled by the service such as email content, instant messages, documents and personal or financial details.
  4. Collateral, this is other information that was stored in memory at the time of the attack, it contains technical information of the system that is running the service.

Is it serious?

This security flaw is extremely serious because your online passwords and data could have been compromised without anyone’s knowledge.

This vulnerability has been around for over two years and has only just been discovered. Therefore someone may already have had access to your private and personal information.

What should you do?

It is recommended that you review all your online accounts and change all your passwords, preferably to a complex and secure one. Also don’t use the same password for all your online accounts.

More technical information can be found on Heartbleed here.

Finally you can also check out our Password Manager Apps Review blog post for different ways of storing more complex passwords.