An Internet bug named Heartbleed, which may likely affect all web users, was recently discovered by security researchers and was disclosed this week. Many have called this possibly the most serious breach of Internet security ever. Unfortunately, the extreme technical nature of this problem has left many of us out of the loop. Only the Web service provider, or whoever manages the back-end service your provider uses, can satisfactorily resolve the problem for you. So, for many of us, Heartbleed is as frustrating as it is serious.
What is Heartbleed?
Heartbleed is a vulnerability within the OpenSSL technology that is used by many websites and online services to encrypt and keep user data secure. OpenSSL is a free open-source tool designed to work in lots of services. Many ecommerce sites post their SSL certificate badge on every page as an assurance of absolute security. Email providers also employ OpenSSL for encryption purposes. The technology is estimated to be used in about two thirds of all public Internet servers.
This Web infection makes it possible for hackers to easily steal a service's encryption keys, which then allows them to steal other information including all user passwords. A fix was created for it, but now all service providers need to adopt the fix before they can be secure from hackers. The severity of this situation can't be overstated.
Solutions
CommonPlaces, Inc. has updated our OpenSSL packages to the recommended version but this is only half of the fix. We strongly encourage you to rekey (renew) your SSL certificate if you use one, as it is the only way to be certain your site itself is secure. We will be correcting this with all of our customers who purchased their SSL certificate from CommonPlaces. For these customers, we will be in touch shortly to take care of this. While the vulnerability no longer exists on our server, it's possible that an attacker already has your certificate information and could continue to use it to decrypt traffic on your site, including passwords or credit card information.
We highly suggest that if your business does not host with Commonplaces, or didn't purchase your SSL Security Certificate through CommonPlaces, that you contact your provider immediately to confirm that they have corrected the problem.
What does this mean for you?
For all regular Internet activity, it is best to wait a day or two before beginning to change passwords. This will give websites and other services time to adopt the fix and secure their data. A new password for a service that hasn't yet installed the Heartbleed fix can just as easily be stolen as an old password.
Mashable has posted a lengthy survey of some commonly used sites, and their suggestions. Many larger banks seem to be unaffected, which is some small comfort. Social media services and email providers such as Google and Yahoo have taken steps to correct the situation, but are urging their clients to change passwords as a precaution.
Yes, this is another case of bad guys trying to do nasty things to the rest of us. For business owners this is a perfect example of why you should hire someone to manage your website. For the average Internet user, it's proof that we always need to be wary and vigilant.