What if we told you that your personal Facebook or Twitter account has been subjected to numerous hacks and compromises in the past couple of years without you even getting a slightest indication of what’s happening behind your back. Sounds surreal, doesn’t it? Welcome to the world of Heartbleed Open SSL.
OpenSSL is most widely used cryptographic library for Apache and nginx Web servers, which handles a service of Transport Layer Security (TLS) called Heartbeat, an extension added to TLS in 2012. The combined market share of just those two, Apache and nginx, out of the active sites on the Internet is over 66% according to Netcraft’s April 2014 Web Server Survey.
What is HEART BLEED ??
How HEART BLEED Working ??
When that heartbeat is sent, a small amount of the server’s short-term memory of about 64 kilobytes comes in reply from server and an attacker is supposed to grab it, that can leak sensitive data such as message contents, user credentials, session keys and server private keys. By sending heartbleed requests multiple times, an attacker is able to fetch more memory contents from the server.
About two-thirds of web servers rely on OpenSSL, means the information passing through hundreds of thousands of websites could be vulnerable.
How to Protect From HeartBleed – OpenSSL Bug
If the site you use is not affected by the vulnerability, its good idea that you change your password immediately, assuming that it was vulnerable before, just to make sure that you are now safe. But changing the password before the bug is fixed could compromise your new password as well.
You are advised to don’t reuse the same passwords on different websites and try to use a separate password for each website.
If you are using a public Wi-Fi at MacDonald or any other public places, then you should limit your Internet behavior and avoid sign in into websites that are especially sensitive.
OpenSSL version 1.0.1 through 1.0.1f and 1.0.2-beta1 are Vulnerable and flaw is fixed in OpenSSL 1.0.1g. If you haven’t yet, please update your system that use OpenSSL for TLS encrypted communications.
And last but not the least; keep an eye on every financial transaction, and it is good practice to use two-factor authentication, which means with the password, the account requires a freshly generated pass code that shows up only on your personal smartphone, before getting into certain sites.
HOW TO CHECK IF YOUR FAVORITE WEBSITES ARE VULNERABLE
2.) LastPass also created a Web app that will tell you what kind of encryption a site uses, and when the encryption was last updated.
3.) Provensec also created a scanner at http://provensec.com/heartbleed/
4.) GlobalSign SSL Configuration Checker.
5.) The easiest way to keep you safe is to use a new add-on to the Chrome browser, Chromebleed, created by security researcher, Jamie Hoyle.