/ security

Hartbleed and You: Nontechnical Summary

If you work at a technology company and have seen a lot of ragged faces today on whoever is responsible for your company’s security, there’s a good chance that CVE-2014-0160 is to blame. Better known as The Heartbleed Bug, this security vulnerability is a bug in an application called OpenSSL that is the centerpiece for a lot of the secure communication that happens on the internet.

I thought it’d be helpful to put something out there quick and dirty bullet-point summary for the non technical users, so you can understand what’s going on, how it affects you, and what you can do to protect yourself. So, here’s we go:

  • Heartbleed is a bug in software used to secure a lot of communications on the internet, including those you make to websites like Google, Facebook, your bank, your VPN connection to work, etc.
  • As a result of this bug, someone could read information off of the computer providing that service (e.g. your bank’s web server). They could also access a particular piece of information that gives them access to read all communication in the future, too. This piece of information is called the private key.
  • As a result of this discovery, two things are happening across the internet. First, servers are being upgraded with new versions of the relevant software to eradicate the bug. Second, system admins are generating new private keys and certificates to go with them. Once these are in place, it means that if some malicious person obtained a private key, that it will no longer do them any good. New communications will use a new key.
  • Various websites will be advising you on how you should protect yourself. Some will advise you change your password. Two factor authentication – where to login you’re required to have your password and a code generated on your phone – will protect you even more. Evaluate what changes you need to make on a case-by-case basis.

So, there you go. That’s your quick summary of what’s been going on in Internet land for the past 24 hours. As a side note, Anchor Tab‘s servers were all upgraded last night shortly after I found out about the bug. I’m currently generating a new SSL certificate for the site, and hope to have it in place in the next few hours.

Now go give your nearest system administrator a hug.