SSL and Heartbleed

posted by mark
Apr 11

If you have skimmed any technology news lately, you will certainly have heard of Heartbleed, the latest serious security threat on the internet.  Many people will be asking what they should do to protect themselves, sadly the answer isn’t so much what can you do, as what should you be waiting for to happen.  Hopefully this helps you to understand what is going on.

While most people will hear there is a new threat and worry about what they should download or or buy or fix, the answer sadly this time is, nothing.  Unless you are in a position where you support a web site or other device that uses SSL or TLS for it’s security, you are waiting on the people who do to fix it.

Most average people will never have heard of OpenSSL before this, the ones who have understand that the security of this wonderful medium we have come to rely on so much, sometimes balances on a somewhat fragile edge.  Other than cell phones, what has been one of the most revolutionary means of communications?  The Internet of course.

Almost our entire world now communicates in some form or another by the means we have come to know as the Internet. A network that has evolved for tremendous flexibility and redundancy, but one that relies on connectivity point to point.  And with that evolution of communications has come the need and desire for security.

This security comes in many forms.  SSL and TLS are used in almost every device and web site that is secured, from the routers we connect to the Internet from our homes, when we open a web browser to look at our bank information online, or when we complete a form for our doctor’s office on their web site, or log into a company’s Virtual Private Network.

Back to OpenSSL.  OpenSSL formed the basis of the SSL and TLS security that we know encrypts our data   OpenSSL is one full time developer and a small group of volunteers, and we rely almost solely on SSL and TLS for our online security.

While OpenSSL admits they could use some help, they get by primarily on small donations and some small support donated from a few companies, the technology they support almost single-handedly secures this fantastic medium we rely on so much.

Back to our problem today, several years ago one person in that small group inadvertently left a hole, a defect, in a piece of code.  This hole has sat relatively quietly (although reportedly the NSA knew about it) and from what we can tell, it has for the most part not been exploited on a large scale.

The problem is that recently this security flaw has come into light, so now it becomes a race between hackers who will seek to exploit this vulnerability to steal information, and the rest of the technology world racing to fix that hole before the hackers can do their damage.

For most people there is nothing you can do.  You should make sure you have the latest updates for your devices, routers, cell phones, blogs, whatever you have control over.  You could avoid doing any business online, if you can get by without it, or you can risk that the defect hasn’t been exploited yet.  Most likely you will be safe, at least for now.  If you are notified by your financial institution they have patched their system, they probably have.  But if they send you a link in an email telling you they need you to update your information for their new security, don’t click the link, go to your bank’s website by directly typing in the URL and look to see if they really are asking you to update something.

In the end, the best thing you can do is make sure your anti-virus is up to date, make sure you have the latest patches for your computer and devices in place, and use common sense.  If someone send you a link or tells you that you have won the Irish lottery, and you didn’t ask for the link or enter the lottery, don’t click the link, don’t open the email.

Updated to include that cell phones may also be affected.

Categories: Blog


Comments are closed.