« Real time malware map | Main | DDoS attack on Typepad affects some SCLS sites »

What You Need to Know about Heartbleed.

Heartbleed

So, by now, I'm sure pretty much all of you have heard about the Heartbleed bug, and you're probably wondering to yourself, "How does this affect me?". I'm here to attempt an answer to that question.

First off, What is Heartbleed?  Heartbleed is a software bug in a program called OpenSSL.  OpenSSL is used by web servers to manage secure, encrypted, web communications.  One feature of OpenSSL is to keep your secure connection active through times of inactivity by sending and responding to "heartbeats".  A heartbeat is a small message that is sent at regular intervals to the server and the server then responds by sending the message back. The message includes 2 parts: the message (a string of characters) and the length (a value matching the number of characters in the message).  The problem is that, until recently, OpenSSL wasn't verifying that the number in the length was the actual true length of the message.  So if you sent a heartbeat with a really small message and a really big length, the server would send you back the message plus any data that was stored in memory just after where your message was stored; which could have included, potentially, your username and password.

Here's a list of popular online services and whether they were vulnerable and whether you should consider changing your password.

As far as we know, no SCLS-hosted services are affected by Heartbleed, as we are not currently using OpenSSL for secure connections. Some services we use, such as SurveyMonkey, were affected and we have changed our login information for those cases.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.