Last week’s headliner was the Heartbleed bug, a security flaw found in OpenSSL that is used to encrypt information being passed between web servers like usernames, passwords, cookies, etc. Reports are saying this may be one of the most serious security breaches the Internet has ever seen. So, here’s an overview of the bug and how we recommend InReach clients respond.
How does it work?
Engadget had the best simplified explanation:
Heartbleed exploits a built-in feature of OpenSSL called heartbeat. When your computer accesses a website, the website will respond back to let your computer know that it is active and listening for your requests: this is the heartbeat. This call and response is done by exchanging data. Normally when your computer makes a request, the heartbeat will only send back the amount of data your computer sent. However, this is not the case for servers currently affected by the bug. The hacker is able to make a request to the server and request data from the server’s memory beyond the total data of the initial request, up to 65,536 bytes.
Hence, the name Heartbleed.
Is my InReach site affected?
InReach clients are unaffected by the Heartbleed vulnerability simply due to the fact that we do not use OpenSSL for our certificates. However, our IT team has recommended that all customers and employees change passwords. That’s right folks, better safe than sorry. Heartbleed is no joke so making up a few new alphanumeric passwords is way better than the alternative.
Read more about how to protect yourself against the Heartbleed bug >>
What other websites were affected?
Mashable has been compiling an exhaustive list across social networks, companies, email providers, stores and e-Commerce sites, banks, etc. See what sites are reporting a security breach.
Why are other sites not affected?
According to CNET:
Although OpenSSL is very popular, there are other SSL/TLS options. In addition, some Web sites use an earlier, unaffected version, and some didn’t enable the “heartbeat” feature that was central to the vulnerability.