Since this bug came to light, there has been a lot written about it in both the popular and technical press (& blogs, websites etc). A simple search (for example on https://startpage.com/) will bring up pages of technical details.
From a practical point of view, the most important advice is change your passwords. However, before doing this make sure that the site have verified that they have addressed the bug. There’s no point in going through the exercise of changing a password on vulnerable site as the protections are not in place so a bit of forward planning is crucial.
Take a systematic approach to changing passwords
If you’ve been using the internet for any length of time (over a week), you will have probably registered on at least one site. If you’ve been using it any longer, you’ll have registered on multiple sites.
Broad Categories
Break your browsing habits into broad categories. For starters I’d suggest:
- Banks and financial institutions
- Social Media
- ISP and email sites
- Retail and online shopping
Next think about the other types of sites you visit. If my case I started adding categories like:
- Fitness tracking
- e-learning
- Media
By identifying general categories, it is easier to remember the wide range of sites that you have signed up for.
There are a couple of places you can look for clues to find the sites you have registered with:
- Your email. Once you’ve registered with a site, you will usually receive a confirmation email. If you’ve kept these, this may help remind you. Also many sites send out mail shots. Over the next few weeks check the sender’s site for each of these mail shots to see if you’ve actually had to register with a password.
- Your browsers form or password cache. If you are using Firefox, go to Preferences->security->saved passwords to get a list of all the sites that that the browser has saved
- Memory: by grouping the sites into categories, I was able to remember the sites I use more easily
Prioritise your changes
Next assign a level of severity to each site. I use a simple 1 (low) to 5(high) indication. This just gives you an idea of which sites you should do first.
Things to consider are:
- Financial information. Not just banks; remember many shopping sites store your card/bank details also.
- Location: sports tracking sites may expose your address
- Social networking sites: Lots of personal information is potentially held here
- Email providers (google, yahoo etc). Emails can contain lots of personal information
- Membership sites. Depending on the type of club or association, you can might feel that it is a higher risk
- ISP sites. You don’t want anyone hijacking your internet connection
- Utilities. These may hold payment details (bank accounts, credit/debit cards), plus address information
There is no one correct answer for any class of site. For example,many banks use smartcard challenge-response readers, so the password is different every time. Also larger financial institutions tend to be more proactive in addressing security issues and have dedicated security teams. Smaller retailers may pose more of a risk.
Two Factor Authentication
Some sites (for example google mail, eBay, Facebook) offer a process called Two Factor Authentication (or two-step verification). These use a combination of a password plus some other method to verify you. Often this will be linked to your mobile/cell phone number and the process to complete you sign in is done by sending an additional piece to your phone.
As you are changing all these passwords, it is worth considering using two factor authentication for the more sensitive sites.
But wait ….
Before you pull the trigger and start the process of changing all these passwords, you need to check that the site has fixed the bug.
The first place to check is the website itself. Many websites will have a banner box telling you if they have updated the vulnerable software. If you are very lucky, the owners may have actually sent you an email informing you that you need to change your password.
If you have a received an email, do not just click on a link in it. Remember a high-profile problem like this will generate a lot of messages from cyber-criminals. Type the address of the link into the browser yourself and follow instructions there to update your password.
If you can’t find out from the website, you will need to do a little more investigation yourself. Thankfully, there are easy ways to check if the site is safe.
Browser Add-Ons
Any Browser
This isn’t an add-on, but an site that allows you to enter any web address and it will test and report back. Go to Filippo Valsorda’s online Heartbleed checker at https://filippo.io/Heartbleed/ and enter the site you want to check.
Using Chrome
The Chrome browser has an easy to use app available provided by Trend Micro.
To install this, go to Settings->tools->extensions
At the bottom of your extension list is a link Get more extensions. Click on this to go to Chromes app store.
In the store, type heartbleed into the search box. My search brought up a three apps, plus several extensions (not all shown on this screen-shot).
Clicking on the Trend Micro application + FREE button will bring up the install window. Once it is installed, it as easy as running the app to check the sites.
The app runs in its own separate window, so it is easy to keep to one side of your desktop and check the site before changing your password.
Using Firefox
There are also Firefox add-ons. However the reviews of these are poor and at least one of the extensions uses Filippo Valsorda’s website.
If you do decide to use a Firefox extension, go to the tools menu and select Add-Ons. In the search box at the top right, type heartbleed to search for the add-ons.
My preference is to check the site by using the the Trend Micro chrome app or Filippo Valsorda’s website directly.
Example layout
Here is the layout I used to record my details. This was a simple spreadsheet, though you could use a text editor or word processor also.
Passwords | ||||
Address | Checked | Risk | Username/email | Password changed |
Financial Sites | ||||
Bank 1 | Yes | 5 | Myname1125 | Yes |
Bank 2 | No | 5 | nameofme@mydomain.com | No |
Retail Sites | ||||
amason | No | 3 | abuyer | No |
fbay | Yes | 4 | nameofme@mydomain.com | No |
morestuff | Yes | 5 | mebuymore | Yes |
Social Networks | ||||
facecodex | Yes | 4 | johnnybgoode | Yes |
Finally, this will take some time. It took me a couple of hours to compile the list and change, plus there were many sites I’d forgotten the password of, so I needed to go through the whole password reset process as well.
I’m in two minds about recording passwords on a spreadsheet. Holding all these passwords in one place is of course a risk in itself, and there’s no guarantee that the password protection in the spreadsheet application is safe either (search of recover excel password to see the tools available). On the other hand I have so many passwords, I will either use the same password on multiple sites (bad), or I’ll forget them and just resign myself to using the password recovery process a lot.