Last Monday it was revealed that a number of websites running SSL encryption, including YouTube, Dropbox and Gmail were exposed to a major security bug known as Heartbleed. SSL is recommended for any websites that handle sensitive data, and it’s compulsory for websites that process credit card data to have an SSL certificate. If you use an SSL connection to connect to websites, email or other applications such as cPanel, WHM and webmail, you’ll normally see the “lock” symbol appear on your web browser.
The bug was discovered by a Google engineer and the Finnish security firm Codenomicon, who revealed that the flaw had existed in OpenSSL for more than two years. The security vulnerability is thought to have initially affected several million web servers.
So what exactly is the Heartbleed Bug?
Heartbleed is a security vulnerability where a hacker can send a request to an SSL secured website, and vulnerable versions of the OpenSSL security software running on the web server will send a response back to the hacker that exposes the SSL private keys. Normally the SSL private keys are used to decrypt sensitive data and they should be kept secret. There is no way of knowing if a website has been exposed because the Heartbleed bug leaves no trace. The affected companies have released or are working on releasing a software patch to fix this error, and users are then encouraged to change their password. See an informative visual of how the Heartbleed Bug works here.
What steps do I need to take?
UPDATE: The original advice once the bug was discovered was to immediately change your password. It is now recommended that you do not change your password until the site you are logging into has put the fix in place, or else you risk exposing your password and account details to any potential hacker.
You should be aware of the security vulnerability and take sensible steps to stay safe online. Many sites have now put fixes in place – after the discovery, the OpenSSL software was rapidly patched, and as of version 1.0.1.g, the problem no longer exists. Some sites such as Pinterest will have encouraged you to change your password as a precautionary measure, and we recommend you do this regularly anyway, and don’t leave passwords on post-it notes or notepads. If your website uses SSL encryption and you have concerns about the security of the site you should contact the person who manages your website.
The Heartbleed bug also affected servers and networking gear and although ActionPoint clients are unaffected by this, should you have any concerns please get in touch with your account manager.
You can also find useful information about the vulnerability at http://heartbleed.com