Red Alert

04.11.14

How to Mitigate the Damage of the Heartbleed Security Hole

Think there’s nothing to do to protect yourself against the “catastrophic” security bug Heartbleed? There is. You might even come out of this with a better security regimen than you had before.

Any disaster can double as a learning experience, and Heartbleed, the massive security hole whose impact is being felt across the Internet this week, is no exception.

By now you may have heard that Heartbleed is a major bug in OpenSSL, a cryptographic library used by two-thirds of all servers on the Internet to prevent eavesdroppers from seeing everything you do on the Web, including the usernames, passwords, and credit card numbers you enter while shopping or banking. Sites running the affected versions of OpenSSL have actually been more vulnerable than those without this kind of security at all, and admins have been scrambling to patch the software and revoke any encryption keys that attackers may have stole. Plus, since the bug dates back to 2011, it's unclear how long, how frequently, or who has exploited it prior to disclosure. Security guru Bruce Schneier has called it “catastrophic,” saying, “On the scale of 1 to 10, this is an 11.”

The deafening klaxons can leave one feeling helpless, but there are still steps you can take to mitigate the damage. You might even come out of it with a more robust Internet security regimen.

First, it helps to understand how the bug works.

Heartbleed is named after where it was found in OpenSSL's code: an extension controlling something called the “heartbeat.” The heartbeat is a short message exchange that occurs in regular intervals between the user and the server, allowing the server to check that the user is still connected and keep the secure session open.

An example heartbeat might go something like this: a user's web browser says “Hello, Server? The secret word is 'Mendax' and it is six characters long.” Then the server would respond by echoing, “Got it, the secret word is 'Mendax'.” The connection stays open, and the process would repeat at the next beat.

But because of an error in the heartbeat code, a malicious user could lie to the server, telling it the secret word is longer than it actually is. This causes the server to fill the extra space by dumping random data from its memory into its reply. This can be done as many times as the attacker wants. For every “pulse,” the attacker can get up to 64 kilobytes of data, which could include a user's email address, password, or anything else stored in the server's memory. Timothy B. Lee has a good visual aid at Vox showing exactly how this occurs.

So, what can you do?

In short, you need to reset your passwords for every single site that was affected. But because the error involves servers barfing up your private info, those servers must first apply a patch, which simply tells them to make sure the heartbeat's “secret word” is as long as the user says it is. Websites should probably revoke and re-issue their encryption keys as well. If you reset your password for a site that either hasn't been patched, there's a chance—however theoretical—that your new password will be compromised too.

The good news is that at this stage, most of the biggest sites seem to be patched and accounted for, and some researchers are now saying it's unlikely that hackers were able to use Heartbleed to steal websites' SSL keys. The tricky part is finding out which of the many sites you frequent was affected in the first place. Mashable has compiled a very useful list to help you do just that. Unfortunately, some companies have been vague about whether or not they were affected and what actions were taken. So the safest thing to do is to not take any chances: if there is any doubt, reset your password.

This sounds like a nightmare, but like I mentioned above, it's also an opportunity to step up your Internet hygiene. Using a password manager like 1Password or KeePass, you can randomly generate strong passwords that you'll never have to remember again. These utilities store all of your passwords in a special encrypted file, which sits on your machine and can only be unlocked by a “master password” that you remember. Then you can use either BitTorrent Sync or Dropbox to keep your password file synced across multiple devices, so you can access your accounts from anywhere. 1Password even has a browser extension that fills in your login details for you when you visit a site. If that seems like too much, you could try using the Diceware scheme to create strong passwords with memorable words.

Lastly, users should seriously consider turning on 2-factor authentication for any service that supports it. Google, Twitter, Tumblr, Dropbox, and Facebook all offer this option via either text messages or mobile apps, and it can mean the difference between a password reset and a hijacked account.

While there is much unknown about Heartbleed, it's still possible that it has a long tail, and getting sites to implement an encryption technique called Perfect Forward Secrecy might be the only way to make sure today's private communications aren't victims of tomorrow's big bug. For everyone else, maintaining a solid password system remains an important first line of defense.