Believed to be among the biggest computer bugs to ever strike the Internet, the HeartBleed Internet bug is a doozy. What makes the situation even more dire, however, is that consumers can do little to protect themselves. HeartBleed has the Internet community reeling because it’s a direct hit to OpenSSL, which runs on 66 percent of the Web, according to Mashable’s Christina Warren. OpenSSL is free and versatile, so a lot of companies rely on it to enable the functionality of Secure Sockets Layer and Transport Layer Security (SSL/TLS)–a set of protocols for handling security, Warren explains. From a consumer’s perspective, the threat is quite real:
“Even if you don’t ever see OpenSSL or know what it stands for, chances are, you interact with it several times a day. That interaction can be as simple as entering in a password for an email account or as complex as sending a private message or photo or even filing your taxes,” Warren writes.
According to several reports, the OpenSSL developer responsible for the typo that became HeartBleed completed the coding about an hour from New Year’s Eve in 2011 and most companies started using the doomed version of OpenSSL in May 2012–that means the bug has been around for quite some time, and any supposedly secure activity on a site that has used OpenSSL since then wasn’t secure at all.
Now that the mistake has been discovered, vulnerable companies are in damage-control mode. So what should they be doing to help protect their users? Read on.
1. Break the News to Users
There’s been a ton of confusion regarding which sites have been affected and which sites haven’t, so it’s up to individual companies to deliver the news to consumers if their information is at risk. Some of the tech giants (I’m looking at you, Google) have been particularly vague about whether or not their users are at risk, but Mashable has created a list to keep track. According to Google, whose security engineer Neel Mehta originally spotted the bug, the company “assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected, but Google Chrome and Chrome OS were not. The company maintains that users do not need to change their passwords. Facebook, however, encouraged users to take the safe route: “We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to … set up a unique password,” the company said.
2. Patch Things Up
A patch for the bug is already available, and it goes without saying that it should be implemented right away. The key here is to make sure users know not to change their password before the fix is finalized; otherwise, their new password might be vulnerable as well. Companies should consider directing users to LastPass, a keychain Website that manages consumer passwords and stores them in one place. The site has set up a tool that allows users to check up on their passwords to different sites and determine whether each site has already implemented the patch.
3. Beef Up Security
Because the threat is so widespread and a variety of Web sites have been affected, it’s important to remind users to create unique passwords, not use the same one across sites. In addition, it’s not a bad idea to put a two-step authentication system in place to protect accounts. “One typical scenario would involve a user providing something they know, like a password, combined with something they have, like a cell phone tied to a verified phone number,” TechCrunch’s Sarah Perez writes. Many companies have already implemented this measure–back in March, Tumblr, for example, announced that it will launch two-factor authentication and require users to not only into their usual password, but also an identification code. The extra layer of security might help consumers feel safer from future bugs or hacks.