What is Heartbleed | Is it a new Virus and how to fix it ?

The Heartbleed SSL vulnerability is is in news, around the world. It is due to misreporting in the press and also causing confusion online. How can you stay safe and ensue your personal details aren’t leaked ? Well first thing to know about Heartbleed is that it is not a virus. You’ve probably heard Heartbleed described as a virus. It is a weakness, a vulnerability in servers running OpenSSL. This is the open source implementation of SSL and TLS, the protocols used for secure connections, those that begin https:// rather than the usual http://.

 

What is Heartbleed in actual ? How can it affect users ?

As already mentioned it is not a virus, it is vulnerability. This vulnerability more commonly referred to as a bug creates a hole through which hackers can circumvent the encryption. Confirmed on April 7, 2014, it occurs in all versions of OpenSSL except 1.0.1g. The threat is limited to sites running OpenSSL – other SSL and TLS libraries are available, but OpenSSL is employed widely on servers around the web.

Why is it called Heartbleed ? How to fix Heartbleed ?

A fix for the problem exists, but this may not have been applied to the websites you regularly visit for secure
activities. These might be online shopping, gambling and other adult themed websites or even social networking. As a result, all manner of personal and financial information could be at risk. To get an idea of how big a deal Heartbleed is and why it is so-called, we should underline that Heartbleed is an Internet-based vulnerability and therefore affects users of all operating systems, desktop and mobile.

So, it’s a big deal – but what can you do about it? 
 

1. Keep Calm & Don’t Panic : A lot has been written across the Internet and in the printed media in the past few days and a lot of it is hype, doom porn that would put the effects of Orson Welles’ famous War of the Worlds radio broadcast to shame. Much of what you have already seen will have been cobbled together from press releases and other reports by journalists unfamiliar with the terminology and a lack of clear understanding about the risks. For instance, you might know that you should change your passwords immediately [not entirely true]. But did you know about the phishing risk ?
2. Beware of  Phishing Attack : Some of the web services viz. banks and social networks that have been affected by Heartbleed will drop you an email to let you know that they have repaired the vulnerability and recommend that you change your password. Naturally, you should do this – but be aware that this situation presents an ideal opportunity to phishers to start sending fake emails, complete with embedded links to the “change password” page – in reality, a website designed to harvest your details. See the picture below, this is email from pinterest.com, but we recommend you be careful while accepting such emails, as it may be a spam taking you to a fake page [phishing attack].
   
   
   
   
   None of the services you use, should recommend you click on a change password link in an email sent unsolicited email. Unfortunately, IFTTT did, as did Pinterest [above picture]. This is bad practice and gives the impression that such a link is acceptable and should be clicked.
3. Do not  Change Your Passwords unnecessarily  : One of the main pieces of Heartbleed advice in circulation is that you should change your passwords immediately. All of them. This, sadly, is an example of the misinformation I referred to in the intro. Say you use the same password for several websites.
   (i) First of all, this is bad practice and you should reconsider doing it in future [not to mention create more secure passwords].
   (ii) Second, if you indiscriminately change all of your passwords, the chances are you’re going to do so on a website that isn’t running on a patched server – one upon which Heartbleed is still a vulnerability. Inadvertently you have potentially shared your old password and your new password with those that are able to exploit the vulnerability for their identity fraud and spam operations. As such, you should only change your password on a site-by-site basis when you know they have been patched – that is, the fix has been applied and the vulnerability closed.
4. Check Which Websites Have Been Affected : Get started by checking which websites are free from the Heartbleed vulnerability. There are two ways to do this : 
   (i) First, head to Mashable where an up-to-date list of big-name websites affected by Heartbleed can be found, along with advice as to whether you should change your password or not.
   (ii) For the smaller websites, this excellent search tool will tell you instantly whether or not the site has been patched. An alternative is the Chromebleed Checker extension for Google Chrome. If the websites you use have been affected and have not yet patched the Heartbleed vulnerability, avoid logging in until the situation is resolved.
   

   Final Advice

   Don’t change any passwords until you’re instructed to do so by the corresponding websites and services.You can also use new tools to check if the website you plan on visiting has been affected, and whether a fix has been applied. Most importantly, stay safe and be patient. The potential for Heartbleed to cause massive problems is still there – avoid any websites that require patching until you know that they are now secure.