ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Is Heartbleed as Bad as the Media Would Have You Believe?

Updated on February 26, 2015
Source

It was Thursday morning, the 10th of April. I was just doing my usual routine, checking my email, when I saw an update in a newsletter from a website that I visit frequently. It mentioned something by the name of Heartbleed. Intrigued, I clicked on it and read the post that had originally appeared on the website’s blog. From what I could gather, this particular website had taken the proper precautions and had not been particularly vulnerable to this Heartbleed bug, which I discovered after googling and finding several news pieces, was potentially rather serious.

Heartbleed is a bug that was discovered in the OpenSSL cryptography library earlier on this month (although some sources claim that various parties knew about it for some time before that), that basically can result in a lot of sensitive data being leaked. You might have heard of SSL (Secure Sockets Layer) before – it’s synonymous with HTTPS, and is a form of encryption. All people are advised to have HTTPS switched on everywhere they go online to prevent sensitive data from falling into the wrong hands, including login details, i.e. passwords, and credit card details. Now imagine a leaky “secure” connection and the fallout that can have. It’s a hacker’s dream come true. They wouldn’t even have to hack any accounts with Heartbleed – they could just steal private keys, passwords, and whatever data the website randomly spews forth from its session cookies when probed. It’s a man in the middle attack, as some have pointed out, and it made the hackers' task that much easier.

There was mass panic online, and this was made worse with so called "experts" ranting about how this was the most devastating thing to ever happen, that the internet was broken. This was of course not helped by the conspiracy theories that started to circulate claiming that various intelligence agencies had been exploiting this bug for years and that it was designed that way intentionally.

I mean, really? We read about websites being hacked and vulnerabilities like this being exploited by hackers every day. It wouldn't be the first time I've been told by a website that I need to log in and change my password because their website was hacked. This is like that but admittedly on a bigger scale, and all at the same time.

Now I don’t claim to be any sort of expert on the subject of security, even though I have written about it to some degree, but I have found a lot of the media’s claims to be nothing but sensationalist, alarmist, and a lot of the time untrue. Yes, it’s serious, and reportedly two thirds of the websites on the internet use OpenSSL. But the fact is, and I was told this by HubPages staff after asking about the security of my account, that not all websites that use OpenSSL were ever vulnerable. Some of them used versions that were not affected by Heartbleed. In fact, I read through another article on HubPages on the same subject where it was said that in reality only 17% of all secure web servers worldwide were actually affected. Google was one of the biggest names on the list of those who were affected, but they effectively patched their servers early before it all went public, and claimed that it wasn't necessary for people to change their account password.

I did by the way. All of my Google accounts’ passwords were changed ASAP.

Facebook was another, and was certainly on the ball, because they too had patched up and encouraged users to change their passwords. So I did.

But some websites were falsely accused of being vulnerable, and this wasn’t helped by lists that appeared on websites that I hadn’t even heard of before, let alone visited, cropping up, as well as “Heartbleed checkers”, that check whether websites are vulnerable.

The flaw here is that these checkers often rely upon the information supplied by these lists from unofficial sources, that contained a lot of confusing contradictions. Websites that had out of date security certificates were said to be affected by Heartbleed; websites that used no encryption; websites that used versions of OpenSSL that were not flawed; websites that had already been patched. A lot of them were lumped into one pile, making it hard to actually know where the real danger was.

Cyber criminals apparently even capitalised on this situation and started their own illegitimate SSL checkers, which would basically act as phishing websites to steal information from people. So if their accounts hadn’t been compromised up until that point, they most certainly were after they had used one of those websites.

Popular websites and services that were definitely affected by Heartbleed

Google – patched early and claimed that no password change was necessary (do it anyway); 2-step verification is available (this covers all Google products)

Yahoo!

Bing

Facebook – patched and encouraged users to change their passwords; 2-step verification and login notifications are available to use to add extra security to your account

Pinterest

Instagram

Flickr

Redditpublicly announced that they had been affected and asked users to change their passwords

Tumblrwas affected, and patched; they now offer 2-step verification to protect accounts

SoundCloudpublicly stated that they were signing everyone out of their accounts, and followed this up by saying upon signing back in they should change their passwords.

SourceForgepublicly stated that at least part of their website had been affected, and even sent an email to users that logged in during the "window of vulnerability".

Wikimedia (including Wikipedia) – was patched and users should change their password.

Check out cnet, who bothered to contact a whole list of websites for you, to see if any other accounts you may have are at risk.

LastPass added a Heartbleed check as part of their security check available to users, and I even signed up after being convinced by a writer who seemed to know what they were talking about.

There I learned that only as many websites as there are fingers on my right hand (five, in case you were wondering) were affected, and out of those, Google was supposedly not vulnerable, at least according to them. It didn’t take more than half an hour in total to log into those accounts, change the passwords, and log out. Crisis averted. I suppose I should consider myself blessed that I don't feel the need to be trendy and create an account on every website on the internet.

The fact is though that once again, this wasn’t the most accurate method either, seeing as Reddit was vulnerable, and this was even admitted by the website, and yet LastPass’s security check failed to spot that when I added one of several throwaway accounts – and I don’t care much for securing them to be honest seeing as they have virtually nothing in them worth stealing, apart from some Karma – apologies to some redditors who made light of the entire situation.

And it wasn’t just online – offline print publications did an even poorer job of presenting the facts, with some ignorantly labelling it a virus, which it isn't.

An article in the Cape Argus had a sensationalist title which claimed that Heartbleed would render you bankrupt, and said that the patch had been applied to “almost all websites, including South Africa’s banks (plural)”. That last part is misleading, because only Capitec Bank was found to have been vulnerable as far as I am aware. FNB for instance, said that none of their servers used OpenSSL, so it’s safe to assume that they were not vulnerable in the first place, and any password change would be optional (yet recommended on a regular basis of course) and purely for peace of mind, when it certainly isn’t critical.

The same goes for those saying that people should change all account passwords. By all means, if you’re paranoid, then go ahead, but if that website doesn’t use a vulnerable version of OpenSSL, or doesn’t use OpenSSL at all, then it shouldn’t be at the top of your list of priorities. By saying that one should change all passwords, they are in fact trying to make a claim that all the websites you use are at risk, when that simply isn’t true. As long as you haven’t typed in your password from a non-vulnerable website elsewhere, and you aren’t one of those dingles who use the same password on all of your accounts, then you should be fine in just focusing on the accounts that truly are at risk for now.

How to Handle Heartbleed

Was the website ever vulnerable to Heartbleed?
If yes
If no
 
Wait for a public announcement, or contact the website, then once the website's servers are patched, log in and change your password.
Take no immediate action.
Source

So I guess lesson learned: don’t rely on software to do a person’s job, and while you’re at it, don’t believe everything you hear or read.

Do yourself a favour and check with the websites you frequent most to see if they have announced anything publicly, and if they haven’t, then email them and ask in order to make absolutely sure that they have taken the proper precautions. If some time passes and they haven’t done anything about the issue, then I strongly suggest that you not change your password, but instead close that account and take your business elsewhere, seeing as the website obviously doesn’t care one bit about your privacy, or how secure your account and the data in it is.

How concerned are you about Heartbleed?

See results

© 2014 Anti-Valentine

working

This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://corp.maven.io/privacy-policy

Show Details
Necessary
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
Features
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Marketing
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Statistics
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)