My Friends, I want you all to be aware of the latest Internet vulnerability discovery that you may or may not have heard of named Heartbleed. This vulnerability affects the SSL website connections that are made by 100's of millions of people around the world everyday to. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure an estimated 66% of the Internet. Although some of it is very technical, I will try to explain this to you so that it is understandable. For those with a technical background, you can read more about the details @ http://heartbleed.com/.
What is SSL?
When you go to any website on the Internet, there is essential 2 types of connections that can be made to it: Secure and unsecured. When you connect to these sites, you are connecting using the Hypertext Transfer Protocol or HTTP. It's the first element you see in any URL (website address) and you can think of it as the language used to deliver information over the web. Most web browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox use an encrypted protocol called Secure Sockets Layer (SSL) to access "secure" webpages. You can tell these apart from the rest because they use the prefix HTTPS. The "s" stands for secure. These are sites such as your online banking site, Facebook, and other e-commerce type sites where you might be transmitting sensitive data like credit card numbers, financial info and social security numbers. Almost any site you logon to with a password is most likely using SSL to secure the connection and to encrypt the data being sent back and forth. This prevents someone from eavesdropping on the connection and possibly stealing your information. Some sites will have both a secured version and unsecured. When browsing a website that is unsecured (HTTP), you will most likely just viewing it. In this way there is no sensitive data being sent back and forth. For instance, you may be browsing Amazon.com for a new product. This is generally done in HTTP (unsecured) until you are ready to purchase. You would then sign in and the connection would be changed to a secure connection. You can tell a secure connection by the padlock icon in your address bar.
Who\what is affected?
The issue affects servers that were running specific versions of OpenSSL (1.0.1 through 1.0.1f) anytime in the past 2 years or so. Sites running older versions are not vulnerable. There is a fix that has been released to address this problem, but it may take a little time to be implemented on such a vast amount of servers. You can check if a site you use is still vulnerable here. If it is not listed, it only means that it is currently not vulnerable. It does not mean that it was not in the past 2 years. You can also check out this link to Github that lists 1000 popular sites that were found to be infected. Some may be fixed as the scan was taken 2 days ago.
What should I do?
For know, you can check if a site you use is still vulnerable here. If it is not listed, you should change your password asap. But, for other sites, until a website has fixed the issue, there is nothing you can do except avoid the site. If you are not already using a password manager, I HIGHLY suggest and recommend using Lastpass. If have any questions or concerns, please leave a comment in the comments section or shoot me an email at michael@2mcomputers.com.
What is SSL?
When you go to any website on the Internet, there is essential 2 types of connections that can be made to it: Secure and unsecured. When you connect to these sites, you are connecting using the Hypertext Transfer Protocol or HTTP. It's the first element you see in any URL (website address) and you can think of it as the language used to deliver information over the web. Most web browsers such as Internet Explorer, Google Chrome, and Mozilla Firefox use an encrypted protocol called Secure Sockets Layer (SSL) to access "secure" webpages. You can tell these apart from the rest because they use the prefix HTTPS. The "s" stands for secure. These are sites such as your online banking site, Facebook, and other e-commerce type sites where you might be transmitting sensitive data like credit card numbers, financial info and social security numbers. Almost any site you logon to with a password is most likely using SSL to secure the connection and to encrypt the data being sent back and forth. This prevents someone from eavesdropping on the connection and possibly stealing your information. Some sites will have both a secured version and unsecured. When browsing a website that is unsecured (HTTP), you will most likely just viewing it. In this way there is no sensitive data being sent back and forth. For instance, you may be browsing Amazon.com for a new product. This is generally done in HTTP (unsecured) until you are ready to purchase. You would then sign in and the connection would be changed to a secure connection. You can tell a secure connection by the padlock icon in your address bar.
Who\what is affected?
The issue affects servers that were running specific versions of OpenSSL (1.0.1 through 1.0.1f) anytime in the past 2 years or so. Sites running older versions are not vulnerable. There is a fix that has been released to address this problem, but it may take a little time to be implemented on such a vast amount of servers. You can check if a site you use is still vulnerable here. If it is not listed, it only means that it is currently not vulnerable. It does not mean that it was not in the past 2 years. You can also check out this link to Github that lists 1000 popular sites that were found to be infected. Some may be fixed as the scan was taken 2 days ago.
What should I do?
For know, you can check if a site you use is still vulnerable here. If it is not listed, you should change your password asap. But, for other sites, until a website has fixed the issue, there is nothing you can do except avoid the site. If you are not already using a password manager, I HIGHLY suggest and recommend using Lastpass. If have any questions or concerns, please leave a comment in the comments section or shoot me an email at michael@2mcomputers.com.