It seems the tech talk around the world over the past week has been Heartbleed. This newly discovered security vulnerability puts users’ passwords at many popular websites at risk of being exploited. Even this morning at our office space for lease, small business owners are talking about this latest security problem and are asking questions.
Heartbleed is the name for a vulnerability in the OpenSSL (Open Source Secure Sockets Layer) encryption model that is used by many popular websites, such as Google, Facebook, Yahoo and the Canada Revenue Agency, along with many others. When you connect to one of these trusted websites, the extend “handshake” between your computer and the web server that sets up the secure connection changes the http to https in the address bar and adds the little picture of the lock to let you know you have a safe connection. Read more about Heartbleed at Heartbleed.com
While mostly individuals and website developers are talking about Heartbleed, many small businesses who utilize the internet are also concerned. Small business owners not only have to worry about their own personal data security, but also their company data. This is especially true if they are using an online CRM (Customer Relations Manager) that may contain private information about their clients. If their CRM password is exposed by this vulnerability, they could find their entire business exposed to hackers.
Heartbleed is an extremely serious issue, and as such, there’s a lot of confusion about the bug and how it affects business use the Internet. While it specifically means that a user’s sensitive personal data (including usernames, passwords and credit card information) is potentially at risk of being intercepted from sites they use, not much is actually being publicized about how to protect yourself.
There are also differing strategies of whether to change passwords, though the security researchers who first discovered the bug have recently advised people to change all of their passwords. However, other security experts are advising consumers to wait, warning users not to change passwords while sites are still vulnerable to Heartbleed. These experts feel that changing passwords will also expose the new password too.
How do I check if a website has been affected or fixed?
There are a few companies and independant developers who have created testing sites to check which websites are vulnerable or safe from Heartbleed. A few good ones are by LastPass, that makes password management software, and Filippo Valsorda, an Italian consultant specializng in cryptography and security. While these test sites are a good preliminary check, you should still continue to proceed with caution, even if the sites you check with them are given an all-clear indication.
When the sites you use are deemed safe from Heartbleed vulnerability, choosing a good new password is very important – but more crucial, there are some rules you should consider. Do not recycle an old password, do not use a password that is less than 8 characters, and do not use a password that is a real word. Read our blog about creating a good and secure password: “How to Make Your Office Space Toronto Password Stronger“.