By now, it’s likely you’ve heard about the Heartbleed Internet security vulnerability, which has made headlines around the Web, albeit often with a level of hyperbole and technical detail that makes it difficult to evaluate. Let’s assume you’re not a system administrator, or in charge of a bank or ecommerce Web site. What do you, as a normal user of the Internet, need to know, and more importantly, need to do?
What is the Heartbleed bug? It’s a security vulnerability that was introduced to OpenSSL about two years ago. OpenSSL is one of the most common software applications for implementing encrypted (SSL/TLS) connections to Internet servers; these are the secure https connections that we all rely on to protect our communications when shopping, banking, and working with confidential information. SSL/TLS is used by more than just Web browsers too; lots of Mac and iOS apps rely on it behind the scenes as well.
The Heartbleed bug enables an attacker to read parts of the memory of a server directly, assuming it’s running a vulnerable version of OpenSSL and is configured in a certain way. Security researchers have shown that the bug can be exploited to reveal usernames and passwords, encryption keys, and anything else that’s transmitted or stored in the server’s memory.
How bad is Heartbleed? We won’t lie — it’s extremely bad, and among the worst security bugs we’ve seen in recent history. It enables attackers to break encryption and potentially access other sensitive information from the server. Worse, it does so invisibly, so Web site administrators can’t go back and check logs to see if the site has been attacked in the past.
The Middlefield Banking Company web sites for both middlefieldbank.com, mb-easy.com and online banking are unaffected by the bug.
Should I change my password at every major site I use? No. Only change your password if both of the following are true:
- You know a site was vulnerable.
- You know it is now patched.
Heartbleed is a live exploit, which means changing your password on an unpatched site is more likely to expose it than doing nothing. Avoid vulnerable sites until you know they are fixed, and then go back and change your password. We expect responsible sites will notify their users once they are no longer vulnerable and will make all users change their passwords. That’s the other reason not to change your password now; if the site is vulnerable, you’ll just have to change it again once they patch their servers.
However, if you do change your password use these simple rules:
- Change your password frequently
- Use a password that contains at least 8 characters
- Include, at a minimum, letters and numbers in your password
- Store passwords securely
- Don't leave passwords where others can find them
- Never share your password
What should I do? Right now, unless you are a server administrator, there isn’t much you can do. Test important sites you are worried about, and don’t log into those that are vulnerable until they are patched. Keep an eye on your email inbox, and as you get notifications from affected sites telling you to reset your password, do so. As always, if you’re concerned about the possibility of phishing, enter the site’s URL directly into your browser rather than clicking a password reset link. Yell at any vulnerable site that doesn’t patch in the next few days.
There is a lot of hyperbole out there right now. Yes, Heartbleed is as bad as it gets for those of us who manage servers or are in the security industry, but the practical risk to most people isn’t the worst thing we’ve seen on the Internet. That said, we’re not complaining about the hyperbole, because it helps us pressure the people that do manage the servers to fix them as soon as possible.
In short, the Internet isn’t melting down, but the people who manage vulnerable systems probably won’t be sleeping for a while. If you have other questions, feel free to ask them in the comments, and we’ll do our best to answer them and update this article as appropriate.