PSA: The Heartbleed Bug and Why You Should Pay Attention
Apr 10, 2014 13:51:42 GMT -8
Post by Deleted on Apr 10, 2014 13:51:42 GMT -8
So I'm an electrical engineering student. I live with computer science people. I have family working in network security. I hear all kinds of things down all kinds of channels, and it pays to be skeptical about a lot of the scares, but I do feel the need to let you guys know about it a bit, if you haven't researched it already.
In layman's terms, there's this security protocol called OpenSSL that's used by most sites (I saw a lot of sites throwing numbers around like 66%) for encryption of their passwords and private data. There are keys that allow your simple password, "doge$44lemon" to be interpreted by the computer without it sitting somewhere for someone to just look at.
Now, the Heartbleed bug takes a random chunk of data from the site. It's like reading a single sentence somewhere in someone's private journal. You might get nonsense: "... went to the store. I bought some juice. It was grape..." but you might also get something very important: "Bobby's hamster died today. We didn't have the heart to tell him. It's buried behind the wood shed." Naturally, the latter chunk is more important than the former if it got out to all of Bobby's bullies.
So somewhere in the world, someone could just find a random chunk of data containing your encrypted password or better yet, the key that allows them to unencrypt your password. Scary, no? Time to run out and change every password so they can't steal your stuff on Amazon, Google, or Steam.
Well, kind of. There's two things to know:
One: It's only a certain version of OpenSSL. Not every site is using it. Not every system even uses that protocol as their security measure. Most sites have fixed their vulnerability by changing to a different version (newer or a branched off version) but not all. This site has a nice list of what you should look at.
Two: If the website in question hasn't updated their SSL protocol, they are still vulnerable. Changing your password there does little good until they fix things. The key to your encrypted password may still unlock your new password. If you use the same password on multiple sites, then they can get your information on one site and use it to login as you on another site. Uh-oh.
So what does this say? It says you should probably at least change your credentials on all your major places of visitation after assuring yourself that they are secure.
Mind you, I'm not a networking expert. I may get things wrong. Better to do the research and be safe than sorry, though. One other thing is that it's really nothing to panic about. Just keep a weather eye on stuff, particularly where sensitive data like credit cards are concerned, for a week or two and things will be smooth as butter.
Love, Fishbutts.
In layman's terms, there's this security protocol called OpenSSL that's used by most sites (I saw a lot of sites throwing numbers around like 66%) for encryption of their passwords and private data. There are keys that allow your simple password, "doge$44lemon" to be interpreted by the computer without it sitting somewhere for someone to just look at.
Now, the Heartbleed bug takes a random chunk of data from the site. It's like reading a single sentence somewhere in someone's private journal. You might get nonsense: "... went to the store. I bought some juice. It was grape..." but you might also get something very important: "Bobby's hamster died today. We didn't have the heart to tell him. It's buried behind the wood shed." Naturally, the latter chunk is more important than the former if it got out to all of Bobby's bullies.
So somewhere in the world, someone could just find a random chunk of data containing your encrypted password or better yet, the key that allows them to unencrypt your password. Scary, no? Time to run out and change every password so they can't steal your stuff on Amazon, Google, or Steam.
Well, kind of. There's two things to know:
One: It's only a certain version of OpenSSL. Not every site is using it. Not every system even uses that protocol as their security measure. Most sites have fixed their vulnerability by changing to a different version (newer or a branched off version) but not all. This site has a nice list of what you should look at.
Two: If the website in question hasn't updated their SSL protocol, they are still vulnerable. Changing your password there does little good until they fix things. The key to your encrypted password may still unlock your new password. If you use the same password on multiple sites, then they can get your information on one site and use it to login as you on another site. Uh-oh.
So what does this say? It says you should probably at least change your credentials on all your major places of visitation after assuring yourself that they are secure.
Mind you, I'm not a networking expert. I may get things wrong. Better to do the research and be safe than sorry, though. One other thing is that it's really nothing to panic about. Just keep a weather eye on stuff, particularly where sensitive data like credit cards are concerned, for a week or two and things will be smooth as butter.
Love, Fishbutts.