As you may have heard, a vulnerability that affects two-thirds of the internet has been discovered. It's commonly referred to as the "Heartbleed bug". We were one of the affected sites. As soon as we found out we were vulnerable, we took the necessary
steps to patch our systems and to revoke our SSL certificate.
What is the Heartbleed bug, anyway?
It's a defect in a piece of software that 2/3rds of the sites on the
internet use. This defect makes it so that an attacker can easily see
anything stored in the server¹s memory at the time of the attack. This picture shows what an attack looks like.
This bug was present undetected on the internet for two years. That means
it's possible that your login credentials were exposed. Again, this isn't
specific to us: 2/3rds of the sites on the internet are affected by this
too, including Yahoo.
Why is it called Heartbleed?
If you're a computer and you want to be sure the other computer you're talking to can communicate over a secure port, you can use its 'heartbeat' function to have the server echo back to you any data you send to it. The 'bleed' part is called that because the vulnerability causes the server to send back more information than was sent to it, effectively 'bleeding' private information back to the person who issued the request.
Is it really that big of a deal?
Yes and no. It's a big deal in that this bug was undiscovered for two years and probably has been exploited by unscrupulous actors, but due to the nature of this bug, there's no way to tell. There could be no actual damage, or there could be a lot of actual damage. There's just no way to know. That's what makes this defect so serious.
What do I do now?
First, if your association has its own SSL certificate (if you have users
log in over HTTPS (and you should), then you have one), you should speak with your IT
department and ask if you're vulnerable and if they've patched your systems. Once your systems are
patched and new SSL certificates are issued; you should have your
association members change their passwords.
What can I do to protect myself online?
- Never use the same password on multiple sites
- If you're like me, you probably use the same password across multiple sites, but your password for sensitive systems should not be used for any other
site
- If you're using Chrome, navigate to chrome://settings in the Chrome
address bar and be sure to check the box that says, "Check for server
certificate revocation" under the heading "HTTPS/SSL".
- If you're using IE 8+ or Firefox, they automatically check for revoked
certificates.
- Change your passwords for sensitive websites frequently (every 6 months)
I want to learn more about the Heartbleed bug!