Heartbleed Internet Security Hole: What You Need To Know

Send to Kindle

* * *

Zipbuds tangle-free, ComfortFit2 earbuds. Advertisers make it possible for Digital Media Mom to bring you great content each day for free, so thanks for your support.

* * *

What Is Heartbleed?

If you haven’t heard about the scary-sounding Heartbleed internet security breach yet, you will soon. It’s not just the name, this one really IS scary for techies like me because it’s a flaw in one of the most widely-used and trusted internet security methods, something called “Open SSL”.

In a nutshell, Open SSL is supposed to encrypt, or scramble, secure data before it’s transmitted, then un-scramble it when the recipient site or web service provides some kind of credential to prove they’re allowed to receive the secure data. This is a type of security that’s been in use by web server administrators for a very long time: it’s the very thing many of them have been relying on to prevent security breaches.

The security hole dubbed “Heartbleed” has existed in Open SSL for at least two years, but it was only recently discovered. Anyone who knows about the flaw and how to exploit it can quietly gather unencrypted versions of the data being transferred across Open SSL connections: passwords, usernames and the like.


What You Need To Do

This is a case where the lion’s share of responsibility for fixing the problem falls to people who run web servers. A fix, or “patch” has been released. Where applicable, it’s up to web server administrators to replace the flawed SSL “certificate” with the patched version. This will all be happening in the background where site visitors won’t even be aware of it, and most of the most popular and heavily-trafficked sites are already patched.

Server administrators are hard at work getting those new certificates up, but since the security hole has existed for over two years it’s impossible to know if any of your online accounts have already been affected. Therefore, it would be very wise to hit every secure site you use and change your password.

If you’re dreading the prospect of such a task and worried about how to first come up with new passwords and then remember them later on, see my DMM post Hacker Defense: Password Creation & Management for the very easy to use system I employ for my own passwords.

Since it was a Google tech who first discovered the security hole, Google’s servers were among the first to be patched. Google links so many things to a single account that if you use any Google services, you will definitely want to change your Google password right away.

The screenshot below illustrates how to change your password in Gmail, which will change your password for ALL of your Google accounts (YouTube, GDrive, Blogger, et cetera). (Click or tap on the image below to view an enlarged version in a new tab or window – the arrows indicate accessing the Accounts and Import tab of the Settings area, and the location of the Password options area on that tab)


Not every secure site employs Open SSL, and not every site that employs Open SSL has been affected by this security hole. The problem is, there’s no way to tell.

There are some web pages available where you can type in a site’s web address to see if it has the patch installed, but these are geared to tech-savvy people. I’ve visited some, and they’re clearly intended for web server administrators, not consumers. For one thing, to get the most accurate results you have to type in a ‘fully qualified domain server’ name, which includes the address of something called a “port”. The test results include references to things like “STARTL”, “broken pipe error” and “EOF indicator”. If all of that’s Greek to you, these web pages will not help you.

Therefore, it’s safest to simply change your password for any and all sites where you feel it would be a very bad thing for a stranger to have your login credentials, because it’s possible a stranger already does. In cases of banking or online shopping sites where your financial account information may have been compromised, it wouldn’t hurt to go back in a week and change those passwords again. This is because you can’t be certain exactly when all of those sites will have the patch applied, and in the meantime your new login credentials could be at risk.

Again, the majors like Google, Amazon, Apple/iTunes, Facebook, Twitter and so on are already patched. But when it comes to smaller banks, finance companies, credit unions and online retailers, it’s better to be safe than sorry.

* * *

And now…

Zipbuds no-tangle, ComfortFit2 earbuds (4.5/5 stars, currently priced at $24.99 and eligible for Prime shipping on Amazon):

No more tangled earbud cords thanks to Zipbuds’ ingenious zipper design, and no more earbud fallout thanks to the ComfortFit2 Technology built into Zipbuds JUICED 2.0! The ComfortFit2 angled earbuds anchor on the outer part of the ear to ensure a comfortable and secure fit. There is no longer a need to uncomfortably jam your earbuds in. Comes with 3 different sizes of earbud cups, to fit anyone from a child to an adult.

* * *


Print Friendly