GOT HEARTBLEED TROUBLE?

HTTPS2images

A SECURE WEBSITE, A LOCK, HTTPS – WHAT DOES IT ALL MEAN?

Hackers are always thinking of ways to steal your information. We are told to make sure that we are using a secure website whenever personal\private information is being sent. The two main ways to know if a site is secure is if it has HTTPS in the website address and if you see a lock.

HTTP stands for HyperText Transfer Protocol.  It is the underlying way information travels on the World Wide Web. The problem with HTTP is anybody can read what you send. For example, if you sent the following information to your online bank:

MY NAME IS LEE JONES AND MY CHECKING ACCOUNT NUMBER IS 123-45-6789. MY PASSWORD IS LOTSOFMONEY.

That information would be sent in the clear.  A hacker could intercept your transmission to the bank and have no problem reading your private information.

HTTPS stands for HyperText Transfer Protocol Secure. Information from your computer to a website is secure (scrambled). For example, if you sent the following information to your online bank:

MY NAME IS LEE JONES AND MY CHECKING ACCOUNT NUMBER IS 123-45-6789. MY PASSWORD IS LOTSOFMONEY.

The information would look something like this:

Y&&35KJHG&*($%h###yyyJJ%

It would be scrambled, secure. If a hacker intercepted the transmission from your computer to your bank, he would see gibberish.

SSL\TLS

SSL stands for Secure Sockets Layer.  It is an Internet protocol (way of communicating) that converts HTTP into HTTPS. TLS stands for Transport Layer Security. It is the successor to SSL.

THE HEARTBLEED PROBLEM:

Heartbleed is basically a memory leak (bleed) problem. About 60% of all web servers in the world use a particular implementation of SSL\TLS called OpenSSL. Remember, with HTTPS (SSL\TLS) information from your computer to a website is scrambled. Your scrambled information becomes unscrambled once it SAFELY makes its way to the web server of the site you are using.

Last week a Finnish security firm found a flaw in OpenSSL. It is believed that hackers knew about this flaw as far back as 2 years ago.

Open SSL uses what is called a heartbeat to keep the connection between your computer and a website’s web server alive. The attacker sends a heartbeat request to a web server that is REALLY only 1 byte in size. The attacker configures the heartbeat request to look like it is 65,000 bytes or whatever number he selects. OpenSSL sees the difference in the data size and says, “Oh I need to send this person (computer) more information.” The information it sends is whatever the web server had in memory at the time of the fake request. The information could be:

YOUR NAME

YOUR USERNAME

YOUR PASSWORD

YOUR ACCOUNT NUMBER

YOUR SOCIAL SECURITY NUMBER

WHAT TO DO

Do not use public Wi-Fi until this problem has been fixed. You never know if proper precautions have been taken to defend against the Heartbleed bug.

Change your passwords on sites that have been patched. It does no good to change your password on sites that have not been fixed yet because an attacker could still get your personal information.  Click on the link below for a current list of sites that have been fixed.

 

 http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

SITES NOT ON THE LIST THAT YOU CAN CHECK

https://lastpass.com/heartbleed/

 

Hopefully this information has been helpful.

 

 

John L. Jones

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s