Many of you have read or heard about the Heartbleed bug in recent days. If not on Facebook or from your friends, it is likely that you received some information from at least one of the internet services you are using.
However, I have read quite a bit of confusion among my photographer friends about what the problem actually is and how it affects us or not. So I decided to sum up what I know about it and what we have to do now.
What is Heartbleed?
First of all: Heartbleed is not a virus. It’s not something you can accidentally download, it will not mess up your computer or anything like that. It’s a security relevant bug: A piece of code that actually has a function but was programmed in a way that it can be abused to gather more data than originally intended.
Does it affect your computer? No. That also means, you do not have to update your anti-virus software or run any program on your computer to make sure you are not affected. So, please do not follow instructions that invite you to download any security update or checks. In fact, you could infect your computer with a different virus if you do so.
In fact, the Heartbleed bug is part of a software that is only being used on servers – web servers using secure socket layer (SSL) features, to be more precise. SSL is being used when we try to communicate safely with one of the websites we are using. It is being used by most websites, like Facebook, Google, Instagram etc.
Why is it called Heartbleed? It is part of a function originally named “Heartbeat” because it basically just ensures a consistent communication between your computer and the server you are using. It sends simple requests back and forth on a regular timeframe to keep the line open. This function is part of an open software that is being developed by volunteers around the globe and can be used for free. That is the reason why this particular software is installed on almost two thirds of all web servers.
We use this kind of service every day: Most of the times when we are accessing secure data, entering a password somewhere or reading our emails. In those cases, the traffic between your computer and the server you are using is being encrypted by a key. So if I was to read the traffic between you and your email provider, I would only get gibberish code that I can not read – unless I have the key to decode that gibberish stuff.
Now here is the dangerous part: The Heartbleed bug can be used to decode this data that is supposed to be encrypted and secret. A perpretator could now read parts of the traffic between a user and the server. It can not be targeted, so I can’t command the server to send me your password. But I could use it again and again and run the whole day until I find some information that I could use. And eventually I might find your password somewhere in the middle.
Here is a comic that pictures the basic function of the heartbleed bug.
What do we have to do to solve the problem?
First of all, there is not much we as users can do. The owners of the servers will have to update their security software first. This could be done quickly and for the big services (like Google, Yahoo) is already done. The bigger problem for the not-internet-giants is that their encryption key may have been exposed already. If that is the case (and part of the bug is that you can not really find out if someone abused it), they have to order a new key from one of the authorities that are generating those secure codes. This might take a few days.
Whenever that is finished, all new exchange of data between you and your services will be secure again. However, as explained above, someone might have already found your username and password somewhere. And here is the dangerous part for most of us: We use the same username (often just our email address) and password combinations for many services. Mostly, because we just can not remember 50 different passwords for services we only use once a month. So, knowing your email address and password, I might not only get access to one of the services you use but 50 different ones.
So, the best thing to do would be to change all the passwords for all services affected. We do not know all the services that were compromised so far – most of them will only communicate the problem after they have solved it, anything else would only attract unwanted attention. But personally, I have to assume that at least one of the stock agencies I am supplying was affected. And yes, for me that means, someone might have the login data and password that could grant them access to all my microstock accounts.
There is a list on Mashable with the most important services and statements if they were affected or not.
What is a safe password for the future?
I am usually pretty relaxed with all security issues we had to deal with in the past. However, the Heartbleed bug is really a big issue and made me re-think my password strategy. I will no longer use the same password for different services if they are sensitive (email, social networks) or money related (all my agencies).
The good thing is that security attacks are mostly done automatically. While there is always a danger that someone in your personal environment might look out to harm you, most of the attacks we are talking about here are looking to hack into masses of accounts if possible. There is no one sitting on a desk trying to figure out your password. In that context, it’s a little relief to know that computers are quite dumb: If I would use “abcdef” as a password for one services, I could use “abCdef” for a different service – for a computer those two are totally different.
I have been using passwords with eight letters minimum for a long time. I also have been using a mix of small and capital letters, at least one number and at least one special character – something like “aB3.efG” is already a pretty good password. If you want to memorize it, you might want to make it a bit less random, though. A good idea is to come up with a sentence in your mind like “no 2 passwords are the same for the services I use” – you could now abbreviate that by using the first letter of each word: “n2patsftsIu”
And if you have a series of similar services, you might want to come up with a sentence that can be exchange for each service: “Try to guess my Shutterstock password? No chance!” turns into “TtgmSp?Nc!” – and for iStock I could use “TtgmIp?Nc!” and it would be different enough to not be exposed to automatic attacks.
Is this totally safe? No, nothing in life is. If you want a maximum of security, you could generate a random password for each service you are using. But then – most likely – you would have to write them down somewhere or use a service to store them. Which would expose you to a different risk. To me, it seems the better solution to memorize an adaptable password that is going to work for all the online places important to me.
I hope this helped some of you to understand the problem and potential solution of Heartbleed.