What's all the fuss with Heartbleed? How do I check if my web host is secure?
So, you see a little padlock in the address bar of your browser and think you are safe. You have an encrypted connection and you are free to provide passwords, user names and credit card numbers securely. Well, you need to think again. There is a new bug dubbed Heartbleed that gives attackers the ability a protected web server’s memory and this could mean that your credit card numbers, passwords and other confidential details are vulnerable. That is not the bad part; Heartbleed has been there for a while which means a lot of sites have been left out in the open for attackers to feast on the private information. Here is what you need to know about this bug.
1. Heartbleed Explained
Heartbleed can be described as a serious vulnerability revolving around OpenSSL, which is a library used in encrypting and securing connections such as web and email. This means that an attacker can simply pass an incorrect value to one of the OpenSSL extension and this will give them the ability to read about 64KB of a web host’s memory. With a repeat of the process the attacker can easily read more memory to gain access to as much information as they need.
How Much Has Heartbleed Spread?
Though Heartbleed is a disaster, there is some good news. The bug is not a general problem, it is just down to one specific implementation which is the OpenSSL 1.0.1 which was released on 14th March 2012 but was fixed on 7th April the same year with OpenSSL 1.0.1g. The bad ugly news is that the most used web servers nginx and Apache, which protect 70% of busy sites use OpenSSL as the standard encryption library. For this reason, you cannot just assume that you are safe in such a situation.
Is Your Website Safe
There is a possibility that you are safe because the 1.0.1g version of OpenSSL addressed this issue. This might not have solved the problem because there is a need to install the updates and reboot the services for the change to happen. Some of the big websites that are managed actively must have fixed these problems but the smaller sites might still be at risk.
How To Check Whether Your Website Is affected
There is a Heartbleed page created by LastPass dedicated to providing a test function that you can use to check if your website has been affected by the bug. You have to understand that the page is currently receiving a lot of traffic and occasionally, you will not get results and will need to try again later.
How To Protect Your Website
Protecting your website from the Heartbleed bug is simple. If you test your site and find that it is vulnerable, you just have to get it fixed immediately by upgrading to the OpenSSL 1.0.1g. The process is not difficult and you can do it over a short period of time and then test your site again to confirm the changes. If you are unsure, double check with your host. Any reputable host will be able to help you get this sorted out ASAP.