About the Heartbleed Bug

By George Stocker posted Apr 10, 2014 10:43 AM

  

As you may have heard, a vulnerability that affects two-thirds of the internet has been discovered.  It's commonly referred to as the "Heartbleed bug". We were one of the affected sites. As soon as we found out we were vulnerable, we took the necessary steps to patch our systems and to revoke our SSL certificate.

What is the Heartbleed bug, anyway?

It's a defect in a piece of software that 2/3rds of the sites on the internet use. This defect makes it so that an attacker can easily see anything stored in the server¹s memory at the time of the attack. This picture shows what an attack looks like.

This bug was present undetected on the internet for two years. That means it's possible that your login credentials were exposed. Again, this isn't specific to us: 2/3rds of the sites on the internet are affected by this too, including Yahoo. 

Why is it called Heartbleed?

If you're a computer and you want to be sure the other computer you're talking to can communicate over a secure port, you can use its 'heartbeat' function to have the server echo back to you any data you send to it.  The 'bleed' part is called that because the vulnerability causes the server to send back more information than was sent to it, effectively 'bleeding' private information back to the person who issued the request.

Is it really that big of a deal?

Yes and no. It's a big deal in that this bug was undiscovered for two years and probably has been exploited by unscrupulous actors, but due to the nature of this bug, there's no way to tell. There could be no actual damage, or there could be a lot of actual damage. There's just no way to know. That's what makes this defect so serious.

What do I do now?

First, if your association has its own SSL certificate (if you have users log in over HTTPS (and you should), then you have one), you should speak with your IT department and ask if you're vulnerable and if they've patched your systems. Once your systems are patched and new SSL certificates are issued; you should have your association members change their passwords.

What can I do to protect myself online?

  • Never use the same password on multiple sites
  • If you're like me, you probably use the same password across multiple sites, but your password for sensitive systems should not be used for any other site
  • If you're using Chrome, navigate to chrome://settings in the Chrome address bar and be sure to check the box that says, "Check for server certificate revocation" under the heading "HTTPS/SSL".
  • If you're using IE 8+ or Firefox, they automatically check for revoked certificates.
  • Change your passwords for sensitive websites frequently (every 6 months)

I want to learn more about the Heartbleed bug!

1 comment
128 views

Permalink

Comments

Apr 10, 2014 11:31 AM

Thank you so much for posting this, George. I was wondering this very thing this morning, and really appreciate the proactive response.