Is Heartbleed as Bad as the Media Would Have You Believe?

It was Thursday morning, the 10th of April. I was just doing my usual routine, checking my email, when I saw an update in a newsletter from a website that I visit frequently. It mentioned something by the name of Heartbleed. Intrigued, I clicked on it and read the post that had originally appeared on the website’s blog. From what I could gather, this particular website had taken the proper precautions and had not been particularly vulnerable to this Heartbleed bug, which I discovered after googling and finding several news pieces, was potentially rather serious.

Heartbleed is a bug that was discovered in the OpenSSL cryptography library earlier on this month (although some sources claim that various parties knew about it for some time before that), that basically can result in a lot of sensitive data being leaked. You might have heard of SSL (Secure Sockets Layer) before – it’s synonymous with HTTPS, and is a form of encryption. All people are advised to have HTTPS switched on everywhere they go online to prevent sensitive data from falling into the wrong hands, including login details, i.e. passwords, and credit card details. Now imagine a leaky “secure” connection and the fallout that can have. It’s a hacker’s dream come true. They wouldn’t even have to hack any accounts with Heartbleed – they could just steal private keys, passwords, and whatever data the website randomly spews forth from its session cookies when probed. It’s a man in the middle attack, as some have pointed out, and it made the hackers' task that much easier.

There was mass panic online, and this was made worse with so called "experts" ranting about how this was the most devastating thing to ever happen, that the internet was broken. This was of course not helped by the conspiracy theories that started to circulate claiming that various intelligence agencies had been exploiting this bug for years and that it was designed that way intentionally.

I mean, really? We read about websites being hacked and vulnerabilities like this being exploited by hackers every day. It wouldn't be the first time I've been told by a website that I need to log in and change my password because their website was hacked. This is like that but admittedly on a bigger scale, and all at the same time.

Now I don’t claim to be any sort of expert on the subject of security, even though I have written about it to some degree, but I have found a lot of the media’s claims to be nothing but sensationalist, alarmist, and a lot of the time untrue. Yes, it’s serious, and reportedly two thirds of the websites on the internet use OpenSSL. But the fact is, and I was told this by HubPages staff after asking about the security of my account, that not all websites that use OpenSSL were ever vulnerable. Some of them used versions that were not affected by Heartbleed. In fact, I read through another article on HubPages on the same subject where it was said that in reality only 17% of all secure web servers worldwide were actually affected. Google was one of the biggest names on the list of those who were affected, but they effectively patched their servers early before it all went public, and claimed that it wasn't necessary for people to change their account password.

I did by the way. All of my Google accounts’ passwords were changed ASAP.

Facebook was another, and was certainly on the ball, because they too had patched up and encouraged users to change their passwords. So I did.

But some websites were falsely accused of being vulnerable, and this wasn’t helped by lists that appeared on websites that I hadn’t even heard of before, let alone visited, cropping up, as well as “Heartbleed checkers”, that check whether websites are vulnerable.

The flaw here is that these checkers often rely upon the information supplied by these lists from unofficial sources, that contained a lot of confusing contradictions. Websites that had out of date security certificates were said to be affected by Heartbleed; websites that used no encryption; websites that used versions of OpenSSL that were not flawed; websites that had already been patched. A lot of them were lumped into one pile, making it hard to actually know where the real danger was.

Cyber criminals apparently even capitalised on this situation and started their own illegitimate SSL checkers, which would basically act as phishing websites to steal information from people. So if their accounts hadn’t been compromised up until that point, they most certainly were after they had used one of those websites.

_{Google – patched early and claimed that no password change was necessary (do it anyway); 2-step verification is available (this covers all Google products)}

_Yahoo!

_Bing

_{Facebook – patched and encouraged users to change their passwords; 2-step verification and login notifications are available to use to add extra security to your account}

_Pinterest

_Instagram

_Flickr

_{Reddit – publicly announced that they had been affected and asked users to change their passwords}

_{Tumblr – was affected, and patched; they now offer 2-step verification to protect accounts}

_{SoundCloud – publicly stated that they were signing everyone out of their accounts, and followed this up by saying upon signing back in they should change their passwords.}

_{SourceForge – publicly stated that at least part of their website had been affected, and even sent an email to users that logged in during the "window of vulnerability".}

_{Wikimedia (including Wikipedia) – was patched and users should change their password.}

_{Check out cnet, who bothered to contact a whole list of websites for you, to see if any other accounts you may have are at risk.}

LastPass added a Heartbleed check as part of their security check available to users, and I even signed up after being convinced by a writer who seemed to know what they were talking about.

There I learned that only as many websites as there are fingers on my right hand (five, in case you were wondering) were affected, and out of those, Google was supposedly not vulnerable, at least according to them. It didn’t take more than half an hour in total to log into those accounts, change the passwords, and log out. Crisis averted. I suppose I should consider myself blessed that I don't feel the need to be trendy and create an account on every website on the internet.

The fact is though that once again, this wasn’t the most accurate method either, seeing as Reddit was vulnerable, and this was even admitted by the website, and yet LastPass’s security check failed to spot that when I added one of several throwaway accounts – and I don’t care much for securing them to be honest seeing as they have virtually nothing in them worth stealing, apart from some Karma – apologies to some redditors who made light of the entire situation.

And it wasn’t just online – offline print publications did an even poorer job of presenting the facts, with some ignorantly labelling it a virus, which it isn't.

An article in the Cape Argus had a sensationalist title which claimed that Heartbleed would render you bankrupt, and said that the patch had been applied to “almost all websites, including South Africa’s banks (plural)”. That last part is misleading, because only Capitec Bank was found to have been vulnerable as far as I am aware. FNB for instance, said that none of their servers used OpenSSL, so it’s safe to assume that they were not vulnerable in the first place, and any password change would be optional (yet recommended on a regular basis of course) and purely for peace of mind, when it certainly isn’t critical.

The same goes for those saying that people should change all account passwords. By all means, if you’re paranoid, then go ahead, but if that website doesn’t use a vulnerable version of OpenSSL, or doesn’t use OpenSSL at all, then it shouldn’t be at the top of your list of priorities. By saying that one should change all passwords, they are in fact trying to make a claim that all the websites you use are at risk, when that simply isn’t true. As long as you haven’t typed in your password from a non-vulnerable website elsewhere, and you aren’t one of those dingles who use the same password on all of your accounts, then you should be fine in just focusing on the accounts that truly are at risk for now.

So I guess lesson learned: don’t rely on software to do a person’s job, and while you’re at it, don’t believe everything you hear or read.

Do yourself a favour and check with the websites you frequent most to see if they have announced anything publicly, and if they haven’t, then email them and ask in order to make absolutely sure that they have taken the proper precautions. If some time passes and they haven’t done anything about the issue, then I strongly suggest that you not change your password, but instead close that account and take your business elsewhere, seeing as the website obviously doesn’t care one bit about your privacy, or how secure your account and the data in it is.