By Aaron Hutton
On the heels of several security breaches for a number of retailers comes a new threat to anyone who accesses the Internet. Self-storage operators who haven’t heard about the encryption flaw in the Heartbleed bug need to be informed and take action. Here’s a summary of how it works and why it should matter to you.
What Is Heartbleed?
Heartbleed is a common name for a recently discovered vulnerability that exists in OpenSSL, a widely utilized cryptographic system designed to encrypt data traveling across the Internet. When you see https:// at front of your Internet address bar, you’re using some form of SSL. The system is designed so two parties can communicate without fear of being overheard by a third party.
In most cases, you’re one party and the other party is the website in which you’re communicating. It accomplishes this through use of an SSL/TLS “certificate,” which positively identifies the website you’re communicating with and provides the “key” to encrypting and decrypting the communications between you and that website.
The Heartbleed bug “leaks” pieces of memory from affected servers. Given time, an attacker can gather sensitive copies of information, including the certificate mentioned above, as well as usernames, passwords and other sensitive data. The reason Heartbleed is so serious is because it has existed for quite some time (about two years), it’s relatively easy to exploit, and attackers leave no trace when they take advantage of a server.
What Should You Do?
Several sources out there are advising folks to change their passwords on various websites. However, you should check a couple things. First, did the website in question update its servers to patch the Heartbleed vulnerability? Second, did it replace its SSL/TLS certificate?
If the website hasn’t yet patched its servers and is still vulnerable, changing your password does no good since your new password can be leaked as easily as your old one through the Heartbleed bug. However, most administrators have now patched their systems so they’re no longer vulnerable.
Because Heartbleed can expose a website’s security certificate, end-to-end communications between a vulnerable server and you are insecure. If a website patches the bug but does not change its certificate, an attacker with a copy of the old certificate could decrypt your communications and read sensitive data, such as your new password. This situation is less common, unless you frequently use networks like public Wi-Fi or other insecure networks. I recommend you wait until the website replaces its certificate before changing your password.