This document summarizes information about the Heartbleed vulnerability, which affected the OpenSSL encryption software. It explains what Heartbleed is, how it worked, when it was discovered and patched, and provides recommendations on changing passwords on vulnerable sites and using a password manager to stay protected. It also lists some sites that were commonly affected and unaffected.
3. What is Heartbleed?
Heartbleedis a vulnerability in
OpenSSLsoftware.
OpenSSLis encryption software that accesses websites through a “secure” connection, HTTPS://.
4. How does it work?
To communicate, a client computer and the server send back and forth a short block of data. The block contains a value for the length of the block.
The malformed block says its length is 64KB, the maximum possible. The server copies that much data from memory into the response.
It may send passwords, encryption keys, etc.
5. When happened when?
OpenSSLreleasedMarch 2012
Publicly reported as vulnerable1 April 2014
Patch released21 March 2014
(Some fixes had already been put in place then)
First proven attempted exploit8 April 2014
Intentional vulnerability test12 April 2014
6. How may sites are vulnerable? (After vulnerability was reported publically)
7. How may sites are vulnerable?
A list the top 1,000 most popular web domains and mail servers that remain vulnerable.
https://zmap.io/heartbleed/
8. What should you do?
Change all passwords as soon as you can.
Find out which sites are vulnerable
On vulnerable sites that have been patched:
Old passwords may be compromised
On sites not yet patched (ask about current status):
New passwords may become compromised, so change them regularly
On sites not affected:
Was same password used elsewhere?
9. Which sites are not affected?
Almost all financial service sites are OK.
Amazon
BCPL
Dell
Ebay
Erickson
Gcflearnfree
Haband
MS Live ID
Mychart, (Erickson)
PayPal
US Treasury
10. Which are common patched sites?
Dropbox
Facebook
Google
Netflix
Norton
Skype
Wikipedia
Yahoo
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Site List
Search for site
https://lastpass.com/heartbleed/
11. How do I manage?
Use a Password Manager, free -LastPass
Use a LastPassaccount, import your existing passwords or save newly generated ones.
A good way to manage passwords in Windows, includes an IE installer.
Supports Internet Explorer 8+, Firefox 2.0+, Chrome 18+, Safari 5+, Opera 11+.
http://www.pcmag.com/article2/0,2817,2407168,00.asp
https://lastpass.com/misc_download2.php
12. What does your son/daughter know?
•Keep a separate, up to date record of your passwords in a safe place.
•Make sure your designated representative knows where that record is.