The recently discovered Heartbleed security bug lets hackers gather and decipher data sent by your computer’s browser over HTTPS/secure ‘encrypted data connections’ using SSL. This security bug, a severe flaw in OpenSSL, might have allowed hackers to steal user names, passwords, payment card data, and other personal information – from websites like Yahoo, DropBox, and many others.
An estimated 500,000 websites have had this problem — for perhaps the past 2 years. That’s really bad! Catastrophic is the right word. “On the scale of 1 to 10, this is an 11” – said Bruce Schneir, a security researcher, and fellow at Harvard’s Berkman Center, and a board member of EFF.
Here are three ways to test for Heartbleed danger, and a few helpful hints to make sure you are protected. I recommend using all three to be extra sure the website/domain in question is really safe.
- Filippo Heartbleed test – input the domain name and port that needs to be tested
- Qualys SSL Labs testing tool – input the domain name that needs to be tested
- LastPass Heartbleed tester – input the domain name – Lastpass checks the certificate date, and some sites will fail — that passed the previous 2 tests.
Remember to check the domain using all 3 tools. If the domain passes all 3 tests, then it’s OK, and your next step is to create a new password. Remember to change your password to a new, totally unique, strong password – preferably at least 15 characters long. If the website in question does not pass all 3 tests (listed above), then it’s best to NOT use the website. Contact the company that owns the website by phone or email and ask them how soon the website will be fixed.
Remember to test all the websites you normally visit, and change ALL your passwords to strong, unique, new passwords.
- “Heartbleed” vulnerability may compromise your security on thousands of web sites – How-to limit the impact of vulnerability – by Brian Donohue of Kapersky Labs
- How to Defend Against the OpenSSL Heartbleed Flaw – ComputerWorld