Heartbleed Aftermath

A security exploit was discovered on Monday, April 7th, 2014, that affects the entire Internet.  This vulnerability, called Heartbleed, is a flaw in the security protocol used by websites called OpenSSL.  This flaw is not specific to Mac or PC or iPhone or Android as it affects traffic between your device and the web.  It is important to note that changing all of your passwords at this point is not wise.  Changing a password on an affected site that has not been updated to a patched version of OpenSSL could potentially lead to both the old and new passwords being exploited.
 
Mashable has put together a list of some top websites that were known to be affected AND have patched their site.  These are the sites that you should change your password RIGHT NOW.  The highlights of this list include:
 
GMAIL
FACEBOOK
DROPBOX
INTUIT
YAHOO
Remember, do not use the same password for more than one website.  You should be using a password manager such as KeePass or LastPass to help manage your passwords and generate strong unique passwords.
 
In addition, you should also turn on server certificate revocation for your browser.  The steps for Google Chrome are: Settings > Show Advanced Settings… > HTTPS / SSL > Check for server certificate revocation.
 
If you need help with changing passwords, setting up a password manager, or configuring your web browser, please contact me to schedule a time for a consultation.
 

What should the average Internet user do about the Heartbleed bug?

  • Install the Chromebleed or Foxbleed browser extension and do not login to the sites that trigger an alert.
  • Wait for statements by the affected websites about what data may have been leaked and when you should change your password.
  • Always use strong and unique passwords.  Install a password manager such as KeyPass, or LastPass.  These programs also have a password generator to create strong / unique passwords.
  • Always use 2 Factor authentication when available.  This places an additional layer of security on your account that will send you a unique code via text message when you log in from an untrusted location. Here’s Everywhere You Should Enable Two-Factor Authentication Right Now