A major breakdown in internet security was revealed earlier this week. Millions of Passwords, Credit Card Numbers, Social Security Numbers and everything that you hold dear to your heart are at risk! The nickname (HeartBleed), appropriately summarizes how the victims would feel. The name is derived from the vulnerability, which is “heartbeat extension”. It’s a feature used by computers to check if your visitor is still online. Most of the servers running on Apache/Nginx using OpenSSL are impacted. This comprises of more than 80% of the websites!
The worrying aspect of the bug is that the vulnerable website can be hacked without any traces. The exact damage from this vulnerability will be known in the days to come. As of now there is a lot of panic and hysteria around it. The security issue exists in a vast number of Web Servers. It has been present for the past 2 years, so you might ask what’s the big deal.
So is HeartBleed A BIG DEAL for your WordPress Site?
First of all, HeartBleed impacts encryption technology being used. What this means is – If you have a blog or an E-commerce based WordPress store which uses https (Encryption to send traffic between the browser and your webserver), you are likely to be vulnerable. If you see a green padlock image in the address bar, that site is likely using an encryption software that has been impacted by the Heartbleed bug. If you are worried to transact on such websites, there are various tools available on the internet to check if that WordPress Site is vulnerable. You can use the popular tool – Lastpass HeartBleed Checker. It was identified by a team of security researchers from Finland.
Heartbleed Checker Tools:
There is also a chrome/chromium browser extension – ChromeBleed (It may generate false positives – not completely reliable).
Which websites are affected?
Most major websites are affected, because OpenSSL (cryptographic library) is a popular technology used by Apache/Nginx based webservers (which comprises of more than 80% of websites). Global biggies like Amazon, Google, Yahoo use these technologies. Though the biggies have taken the preventive measures, there are a vast Majority of E-Commerce Websites which are still vulnerable. It is recommended that you use online tools as mentioned above to verify before doing transactions.
How to fix your WordPress website from the HeartBleed bug?
OpenSSL has released the new version of the software which fixes the bug. Contact your hosting service provider and ask them to fix the bug by upgrading OpenSSL. Contact your existing users, recommend that they change the passwords. OpenSSL 1.0.1g has fixed this issue. After upgrade, you can check the version of OpenSSL to ensure it has been updated to the latest version. After the upgrade, revoke all your keys and regenerate fresh keys!
What can you do as a WordPress user?
Step 1 – Log out of all websites.
Step 2 – Use the checker tools before logging into the websites.
Step 3 – Contact your favorite website owners and tell them if you find it is still vulnerable.
Step 4- Wait for the Websites to update to a new version of the encryption software to fix the bug.
Step 5 – After the update, change all your passwords.
Very important – Follow the practice of not reusing the same password across websites!
Technicalities of HeartBleed –
The TLS (Transport Layer Security) and Datagram Transport Layer Security (DTLS) protocols has a Heartbeat Extension. This provides the feature of using keep-alive functionality. It improves the performance compared to performing a renegotiation on the Datagram Transport Layer which doesn’t have session management. There was a missing bounds check in the implementation of this feature in OpenSSL 1.0.1 and 1.0.2 beta (introduced in 2011). The vulnerability can be exploited to read data in memory which overflow beyond the boundary limits. This allows anyone on the Internet to read the memory which can reveal secret authentication and encryption keys used on the website. Once the keys are known, all encrypted data can be exploited to view passwords, credit cards and any other confidential data.
Has your website been affected by Heartbleed ? Share your story with us – leave a comment