If you have read the press or listened to the news any time since Tuesday, you have probably heard of a new Internet security vulnerability called HeartBleed which the IT security industry has got all hot and bothered about. Well here is my personal (grossly simplified) take on it.
This whole problem is all about secure connections to ‘so-called’ secure servers via a security protocol known as OpenSSL.
So, firstly you should be aware that it is the server that may be running OpenSSL, not your desktop. There is nothing to ‘patch’ on the desktop. (And it is only a problem for Linux servers running OpenSSL. Microsoft servers do not use OpenSSL.) So, this is down to the security professionals in charge of the server.
- . If your in-house server is running a Windows operating system it is not affected.
- . Normal web browsing not involving a ‘logon’ session is not affected.
- . Normal POP or SMTP email using non-secure, normal default ports of 110 and 25 is not affected.
- . Exchange based email (which runs on a Microsoft server) is not affected.
Secondly, even if you have been logging into a server running one of the vulnerable versions of Open SSL over the last couple of years, there is no proof that any of them had actually been compromised. They may have had the ‘vulnerability’ to be attacked but there is no evidence that any bad guys had ever actually ‘exploited’ that vulnerability. So the chances of your personal secret data getting into the wrong hands is very minimal.
However, now that the ‘way in’ has been published in the public domain and all the bad guys are aware of it, some of them will no doubt be attempting to ‘get in’. So it becomes critical for your web service company to get their act together and patch Open SSL with a ‘safe’ version. It is fair to say that most of the big players will now have done this. Now, while there are millions of small players, how many of them do you actually use. (Think cloud services, proprietary web-based CRM systems e.g. – these are the ones to be wary of).
So, if you think you’re vulnerable, what should you do?
Well, to a large extent you are in the hands of the service providers – it’s their code that needs to be patched. However, if they were vulnerable and if they were compromised by the bad guys (that latter point is probably quite unlikely), it is possible that your password and other information may have been stolen. So, even though I think it is very unlikely, it may be a good idea to change your password if you use one to logon to an Internet ‘service’ which may have been compromised.
Having said that I’d leave it until Monday and give the server professionals the weekend to secure their services because changing the password you use to connect to an unpatched server is no help whatsoever.
…and don’t panic!