Sunday, April 13, 2014
Heartbleed Explanation and Advice
Yes. Heartbleed is a complicated situation. Basically, there is nothing you can do about it, as the exploit is on the website -- not your computer. The exploit is that in many situations, if it is present, heartbleed can steal the password to the website you are logging in to. Here's what you need to know to make decisions about what you should do.
1.) Most Internet security applications cuurently will NOT detect heartbleed, because it does not reside on your computer. This may change -- but heartbleed is a "passive" exploit, and therefore difficult for your security app to detect.
2.) If you do not do any financial transactions over the Internet, and/or have no memberships with significant amounts of personal information about you on them, you really don't have much to worry about.
2.) If heartbleed DOES give you a reason for concern -- you first need to find out if the website that concerns you is vulnerable to the exploit. Here are two websites that claim to be able to check other websites to see if they are vulnerable to heartbleed...
If the website is vulnerable, that does NOT mean that they are infected with heartbleed -- only that they CAN be infected with it. They will probably have instructions on what they prefer for you to do. Most vulnerable sites are recommending that you NOT change your password until they have patched the vulnerability.
3.) Because this vulnerability has existed for a while, the general advice on the Internet (and I strongly agree with it) is:
a.) Change all of your passwords for all sites .
b.) DO NOT use the same password twice.
Yes, this will be a major aggravation, but IMO, it is necessary for everyone for now and into the future. This is not just because of the heartbleed virus, but because of major exploits that techies like me are seeing "coming down the road". I am now working on a broad-range "Security Makeover" plan to offer my customers that will include how to manage multiple, non-duplicating passwords easily and safely. I hope to be emailing you with details by mid-May.
Hopefully this will answer your most of your questions. If not, just let me know...