Heartbleed:  Revoke! Hit List, and How to Protect Yourself

Heartbleed: Revoke! Hit List, and How to Protect Yourself


Now the companies are crawling to patch servers and update software after the “Heartbleed” bug was first revealed to the public.

Last week, “Heartbleed” was one of the most discussed security vulnerabilities. Security vulnerabilities come and go, but this one is an extremely serious security flaw which could expose passwords, credit card numbers, and other personal data for users of popular online services.

The Heart Bleed virus (Not exactly. It impacts the sites you connect to on the Internet.) has been affecting millions of websites on the Internet for two years. Recently it has caused a shock among the people, and users are rushing off to change their passwords. Now the companies are crawling to patch servers and update software.

“Prove” Certification Authority

The companies have simply patched the copy of OpenSSL, it is not enough because the software at the root of the Heartbleed bug. The website applies for a certificate with a certification authority (CA), which is connected with an email, specific name and DNS address as well “prove” its identity. The green lock icon on your browser shows the valid SSL certificate is present and indicates that a site is safe to use.

The certificate authority (CA) looks for the presence of private keys on a website server to verify its identity also the security of these private keys are extremely important. The Heartbleed access to those private keys and aren’t user names and passwords. If unknown persons could grab those private keys, they could use them to make changes to the certificate or fake one site as having the identity of another.

Heartbleed Revoke

ssl-crl-activity-certificates-revoked

According to Netcraft, above 500,000 certificates are vulnerable to Heartbleed. Every single one of those certificates needs to be reissued and revoked. The revoke process has started; however, it might not be happening fast enough. As of Tuesday, 15th April, morning, Netcraft reported that 80,000 certificates had been revoked.

According to ISC’s CRL activity tracker as of Thursday, 18th April, more than 130,000 certificates have been revoked. The extensive majorities of those revocations were issued on April 16 & 17.

What to do

  • Do not log into accounts from afflicted sites until you’re sure the company has patched the problem. The password security firm LastPass has set up a Heartbleed Checker, which allows you to enter any website URL to check its vulnerability to the bug as well if the site has issued a patch.
  • Change your passwords for major accounts like email, banking and social media logins — on sites that were affected by Heartbleed but patched the problem. Josh Abraham, director of professional services for security firm Praetorian has said NBCNews “You can run to update your password everywhere, but it won’t do any good on the sites that haven’t pushed out a fix yet.”
  • The high-profile companies including Google, Yahoo, Amazon, Tumblr and Facebook said they have investigated the issue and are working to update their sites. Facebook and Twitter use OpenSSL web servers, though it’s still unclear. Other websites that have issued an OpenSSL software security update include Amazon Web Services, WordPress, and Akamai. Some websites not considered vulnerable include Microsoft, Evernote, LinkedIn and AOL among others. The fix could be slower for small businesses who use OpenSSL. So don’t be shy about reaching out to small businesses that have your data to make sure they are secure. The Abraham said, once a site has confirmed it has fixed the flaw, people should change their passwords immediately. Be proactive about making sure your information is safe.
  • Finally be sure to keep an eye on sensitive online accounts, especially financial statements and email for the next few days.

The below checklist created by IVPN, it helps you to find easily as which sites have been affected by the bug, and also it’s safe to change your password. If a service provider didn’t apply the patch yet, you should not change your password. Wait until you receive confirmation from an official channel that the servers have been patched.

heartbleed-checklist

This is an alternative infographic for you to know the top sites that already solved the problem by hugraphic.

the-heartbleed-bug
The below video was made by Zulfikar Ramzan, MIT Ph.D. and CTO of cloud security firm Elastica, it does a great job of explaining the bug at a pretty high level.
[vimeo width=”602" height=”350" video_id=”91425662"]