What is ‘Heartbleed’ and Why Does it Matter to Me?
If you’re like almost every connected person on the planet, you have probably heard way too many references to the “Heartbleed bug.” With all the hype online, on TV, and in print about the problem, we figured it might be tough for average computer users to figure out what it means for them or what they should do about it … hence this post.
Before we get into it, however, we want to let all Sales Renewal clients know that you have nothing to worry about: we don’t use the software that had the bug so all of your sites are safe.
So what is it?
Without getting too technical, Heartbleed is a software bug with a product called OpenSSL. Some sites use OpenSSL to provide a secure connection between themselves and your computer, and they use those secure connections when you are sending or receiving sensitive information. Normally, when information is communicated over a “secure” line, it is encrypted so that anyone who might be snooping around in cyberspace can’t read things you don’t want them to. Exploiting the Heartbleed bug, a less-than-scrupulous person could trick the server into giving up a chunk of its coveted secure data which could possibly include parts of its recent transactions.
The OpenSSL group has already fixed the problem, but affected sites have to install the fixed version of the software in order for the problem to be solved.
What does this mean for me?
Suppose you purchased a case of shiny new widgets from the online retailer of your choice. Suppose also that this retailer relied on OpenSSL for its secure communications. You put the case of widgets in your cart, and you check out. During the checkout procedure, you fill out a form that includes your credit card number, expiration date, security code, and the name (“as it appears on the card”). Maybe for good measure the site also asked you for your billing ZIP code.
When you click the “Purchase” button, all of this information gets sent to the retailer’s server where it gets stored in the server’s memory.
Along comes our bad guy, who, knowing about the Heartbleed bug, does his evil magic and gets the retailer’s site to spit out a chunk of its recent memory. As you might have guessed, if the timing is right, the recent memory our bad guy gets contains YOUR credit card number. And not just that, he gets all the information he needs to make purchases in your name anywhere he wants.
So what do I do about it?
The first thing to do is, to quote Douglas Adams’ Hitchhiker’s Guide to the Galaxy, “Don’t Panic”. There is no guarantee that an affected site has been compromised. And unless an attacker has exploited the bug shortly after you have been active on that site, there is only a tiny chance that he got access to any of your information.
With that said, there is something you can do. You can spend some time and try to find a list of affected sites on which you have important accounts. While a comprehensive list is hard to find, there are some decent places to start:
A partial list of affected sites
Once you find an affected site that means something to you, you can check with them to see if they have fixed the problem. Most reputable sites should have already reached out to you with their own notices about the issue and information on when you can expect them to have installed the fixed version of OpenSSL. If the site has been updated, then you can safely log in and change your password.
If not, then changing your password will do no good since the bug makes the new information as easy to get as the old. In this case, you might consider logging in and removing your sensitive information. One possibility is to delete your credit card information so that the attacker can’t get it.
If you can’t delete it, replace your card numbers with test numbers. You can search online for a list of test credit card numbers which are numerically valid, but have been set aside for testing credit systems. Use one of these numbers in place of your real number until the site in question installs the fixed version.
As always, the best practice is to be vigilant with your online life. This applied to internet commerce before the Heartbleed bug made news, and it will apply just as much after the hype has faded away into history. You should always be scrutinizing your credit card statements, bank balances, and other account summaries very carefully to spot things that don’t belong there. If something appears, contact the vendor immediately and let them know to minimize the damage.
What if I have a secure web site?
If you are a Sales Renewal customer and your site is hosted with us, you have nothing to fear. None of our sites use OpenSSL for their secure connections, so we can categorically say that none of our customers’ sites are affected.
If you are not hosting with us, then you need to contact your hosting provider to find out whether your server(s) are affected by the issue. Most reputable providers will have taken a pro-active stance on this issue and applied the necessary fixes already. If not, then it’s time for a priority support request to fix the problem. If that doesn’t get it done immediately, then it’s seriously time to think about switching hosting firms.
Sales Renewal’s insight:
If you’re like almost every connected person on the planet, you have probably heard way too many references to the “Heartbleed bug.” With all the hype online, on TV, and in print about the problem, we figured it might be tough for average computer users to figure out what it means for them or what they should do about it … hence this post.
Before we get into it, however, we want to let all Sales Renewal clients know that you have nothing to worry about: we don’t use the software that had the bug so all of your sites are safe.
