You may have heard about or received contact about the Heartbleed vulnerability recently. We have put together the following FAQ to help answer your questions:
- What is Heartbleed?
Heartbleed is a vulnerability in SSL, which is the method that most traffic is encrypted on the internet.
- How does it work?
The flaw in SSL allows servers that serve encrypted traffic over the internet that allows attackers to dump the memory of the webserver and read the encrypted web requests to the server in an unencrypted format.
- In plain English?
Any time you log in to a site, attackers have a brief window in which they can dump your username and password from the server without you knowing.
- Have I been affected?
It is very likely that you have. It is estimated the nearly two-thirds of the Internet is/was vulnerable to this bug. Making matters worse, this bug has existed for nearly two years without anyone going public with it.
– What should I do to protect my usernames and passwords?
Make a list of all critical sites that you interact with such as email, social networks, cloud storage, banking, etc.
Test to see if a site is vulnerable by visiting https://lastpass.com/heartbleed/
If the site is still listed as vulnerable, changing your password will do little to protect you as an attacker could just dump your information again. We recommend that you wait until the site is fixed before changing. During this wait time, it is strongly recommended that you do not use the site.
If the site is NOT vulnerable, login and change your password immediately.
Moving forward, we recommend implementing two-factor authentication on sites where it is possible to do so.
- What should I do if I have a site that says it is vulnerable?
If a third party vendor hosts your site, contact them immediately to determine your resolution plan. If you host a vulnerable site yourself, you will need to update to a non-vulnerable version of OpenSSL and reissue your site’s certificate.