How Extensive Is the Heartbleed Bug?
Source: Neil J. Rubenking
News this week has been dominated by discussions of the Heartbleed bug, which allows hackers to scoop up data directly from the memory of affected secure servers. The captured data could include encryption keys, passwords, and any data sent via a supposedly secure HTTPS channel. The bug has been present for over two years, and since the attack leaves no trace, we have no idea how much it's been exploited.
Who's Vulnerable?
The password wizards at LastPass have added a new wrinkle to the product's Security Check report. Now, in addition to flagging weak and duplicate passwords, it lists any of your saved sites that are or were vulnerable to Heartbleed. I asked a number of fellow LastPass users to send me the results of that report, just to get a feel for what's out there.
I have over 200 passwords stored in LastPass myself. Just six of them were reported as vulnerable, and two had already been patched. Adding in results from my colleagues, I saw 50 vulnerable sites, with 30 of them still not patched.
The LastPass report recommends you change your password for sites that have been patched to fix the bug. For the others, it suggests waiting until after the site announces an update, since your brand-new password would still be vulnerable. For myself, I'd suggest taking Heartbleed as a wake-up call to change all your passwords, making sure that every one of them is strong and that no two sites use the same password. You'll have to change passwords for still-vulnerable sites again after they're fixed, but changing them all now minimizes the potential for exposure.
Top Shops
For another view, I took Alexa's top 20 most popular shopping sites and ran them through a couple of online tests. Researcher Filippo Valsorda created a test shortly after the Heartbleed news broke. LastPass is also hosting an on-demand test
I found Valsorda's test results a bit confusing. The test returned an error message like "broken pipe" or "i/o timeout" for five of the 20 sites I tried. Nine sites got a clean bill of health, as the test reported they were "fixed or unaffected." The remaining six returned an error message due to the fact that the connection was handed off to a content delivery network, and the CDN's certificate didn't match the domain I entered. Checking the box to ignore certificates got all of these a "fixed or unaffected" result, but the test page warns this may be a false result.
The test page supplied by LastPass gives a lot more information. It reported ten of the sites as possibly unsafe. That means the test couldn't determine whether or not the site uses OpenSSL, the crypto library affected by the Heartbleed bug. Four of the sites were probably vulnerable, because they do use OpenSSL, and two of those are now safe. Four other sites were definitely not vulnerable, and one that was definitely vulnerable is now safe. That leaves just one site that couldn't be analyzed due to a connection error.
The LastPass Heartbleed tester also reports how recently each site's SSL certificate was changed. A certificate that was changes shortly after the news about Heartbleed broke is a pretty good indication that the site was affected but is now safe.
As for all of the sites whose status is unclear, your best bet is to wait for an announcement from the site itself. Be wary, though. Don't click any password-reset link you receive in an email, because some of those are frauds. Navigate directly to the site, change your password, and be sure your password manager picks up on the change.
| }
|