Heartbleed and You: The Official Frog Report

May 2014:  One of the most widespread bugs ever to mess with the World Wide Web was just discovered — Heartbleed. To make matters worse, the bug has been around for two years! As most of the Internet scrambled to patch and protect itself from this massively pervasive security problem, many recommendations were tossed around. Some were good. Some, not so much.

Here is the Official Frog Report, in a simple, hoppable, cut-to-the-chase Q&A format:

Does Heartbleed affect me?

Almost certainly.

What is it? A virus?

Heartbleed is a flaw in an extremely popular version of an encryption protocol. The protocol, called OpenSSL, is used by most online commerce. Its purpose is to keep data safe as it’s passed between browsers and Web servers.

What’s the danger?
The Heartbleed flaw may expose your credit card numbers, passwords and cookies to hackers. They can gain access to servers 64K of memory at a time, which is enough to expose that kind of personal information. Sophisticated hackers who systematically siphon off 64K of data could steal a lot of information.

What should I do?
Follow this step-by-step list — changing your passwords is key. There’s no way of knowing if your personal information has been stolen and will be used later.

Which websites have been affected?
More than 500,000 websites have been affected. The Heartbleed Hit List from Mashable includes the status of many of the Web’s most popular sites.

Have the websites been patched yet?
Most have, but some are still vulnerable. Use this online checker before you visit. Don’t visit vulnerable sites and only change passwords on websites that have been patched.

Is other technology affected, like mobile phones?
Yes, other devices have been affected.
1) About 150 million downloaded Android apps (mostly games) have the vulnerability but the Android platform itself is not vulnerable. Don’t use Heartbleed scanner apps because most don’t work.
2) Products like Apple’s Airport Extreme and some devices made by Iomega, Synology, Western Digital and others require patches. Here’s a list from PCmag.com.

Have there been thefts directly resulting from Heartbleed?
In Canada, 900 tax identification numbers were stolen from the Canadian version of the IRS (a 19-year-old hacker has been arrested). It may be difficult to connect thefts directly to Heartbleed — keep monitoring your credit to make sure no one else is using it.

Why do so many websites use the same OpenSSL protocol?
Because it’s free. “SSL” stands for Secure Sockets Layer and “Open” stands for open-source (free) code. Using OpenSSL saves companies money and allows them to develop great apps. Free and inexpensive platforms like Facebook and Dropbox couldn’t offer free services without making use of open-source code.

Does Heartbleed mean the lock icon in my browser’s address bar is meaningless?

No, the lock icon is still very important. Heartbleed is an anomaly and has been discovered. The lock means you are connected to the website using encryption that prevents others from seeing information that’s sent back and forth. Don’t send personal information or passwords if you don’t see the lock.

Have most people changed their passwords?
Surprisingly, no. A survey by YouGov/Huffington Post shows that a lot of people haven’t heard about Heartbleed. Part of the slow reaction might also be because most companies haven’t notified account holders … and it’s annoying to change passwords.

Is there a way to make changing — and remembering — passwords less annoying?

Yes! Use LastPass or 1Password. They generate strong passwords for your accounts then store them in an encrypted vault. You only need to remember one master password to access the vault.

You may also be interested in: