If you run your own website or have been paying attention to tech bloggers over the past week you'll no doubt have heard about the big new threat to cybersecurity: Heartbleed. So what exactly is Heartbleed, who does it affect and how can websites survive it?
Heartbleed Explained
Heartbleed is a recently exposed vulnerability in SSL software (the software that makes "https" websites secure) that allows cyber attackers to gain access to usually hidden information on a website server. It is a bug that has affected some of the Internet's largest and most trafficked websites incuding Facebook, Pinterest and Instagram. These larger websites have huge tech teams who quickly patch these issues before it became a major issue, but smaller websites and online stores are more vulnerable and unfortunately don't have the resources to even know if Heartbleed has affected them or not, let alone the know-how to protect their server from attacks.
I think xkcd explain Heartbleed best in their online comic:
Online Heartbleed Tests: To The Rescue?
Since the exploit was publicly announced, a number of websites have published free online diagnosis tools designed to tell website owners whether or not their websites have been affected by Heartbleed. This may seem like an absolute life saver for those website owners who know very little about SSL certificates and just want to be told whether or not they've been affected, but almost all of these tests have their flaws as Adrian Hayter over at CNS Hut3 discusses.
Essentially, he explains that most Heartbleed tests don't take into account all factors and behaviours that help to identify the Heartbleed threat, in turn presenting false negatives to website owners by telling them they haven't been affected when that might not actually be the case. The majority of diagnosis tools that Adrian tested failed to discover vulnerabilities that he knew were in fact there. The thousands of website owners who used these diagnosis tools to identify SSL issues may have left thinking they were safe when in reality their customers' accounts and information could already be compromised.
Heartbleed Tests That Do Work
Okay, okay, so the majority of these tools fail to properly diagnose Heartbleed vulnerabilities, but which ones actually do work?
- Hut3 Cardiac Arrest tool is a Python script for use by tech-wizards, allowing them to upload and run the script from inside the server to accurately determine how vulnerable the server is to the exploit. This seems to uncover some issues that other tools don't.
- For the average website owner and those living in a Python-less world, Qualys SSL Labs tool seems to offer a trustworthy solution. This is probably the easiest way for most people to test their websites.
Remember that it's always best to assume that no diagnosis tool is 100% accurate and instead opt for testing websites in multiple Heartbleed diagnosis tools created by different agencies, whether the tests are highly accurate or not, as each test may account for a different aspect of the bug and together may provide a more reliable diagnosis.
Help! My Website's Been Affected By Heartbleed!
If you think your website might be affected by the Heartbleed bug, the first thing you should do is update your server's software to the newest versions. OpenSSL is the software that features the vulnerability, so you can start there. Once you've patched the issue, it's important to be open to your customers about their accounts and information - inform them about any possible breaches of security, what you're doing to rectify the issues and what they need to do to stay protected (usually update their passwords). With any luck your customers will understand that this is not an issue with your company's security practices and has affected hundreds of thousands of the most secure websites online.
Always Update! Just In Case
Even if all the tests you run come back with a clean bill of health, it might be a good idea to upgrade the software on your server, including the SSL software. As long as your website doesn't rely on the outdated software, the newer versions are almost sure to offer better protections against all kinds of server threats, not just Heartbleed.
Whether it's Heartbleed or another security threat, always be sure to stay vigilant by watching for problems and abnormalities on your website and in your website's debugging logs, as well as closely following security blogs and development communities who discuss these issues as soon as they arrive so you know where you should be focusing your efforts. There will always be threats like Heartbleed, so you should never assume your website is safe from attackers - it's not!