Monday, April 14, 2014

Heartbleed: A problem with the plumbing

Over the next few weeks, companies will be saying words like Heartbleed, OpenSSL, and certificate, and telling you to change your passwords. Change them. Change them all.
This is a great opportunity to fire up your password manager (yes, get a password manager) and make sure you're not reusing passwords in multiple places. 
Like any good security flaw, there's nothing you could have done to avoid the 'Heartbleed' (CVE-2014-0160) bug which became public Monday night. It's a server problem.
An attacker could, without leaving a trace, go fishing in the server's active memory and retrieve up to 64k of whatever's there each time they ask.
This could include logins & passwords, other personal data, or certificate private keys which form the foundation of online authentication.
Once the servers have been updated, change your password. Visit for all the gory details.
It's impossible to know how widely exploited this hole was. The only safe option is to assume it's all compromised.
Are you still there, server? It's me, Margaret.

Password management software will reduce the cognitive overhead of these changes, and make it easy for you to use different long, incomprehensible passwords at every site you visit.
Take care of your plumbing. Rome was built on two goddesses: Venus (love & beauty) and Cloacina (the sewer/infrastructure). Without the Cloaca Maxima (the main storm sewer), the Roman Forum is a swamp, without love or beauty.

You don't get the beauty of the internet without the infrastructure that supports it, and sometimes that needs a little maintenance. Do your part. Change your passwords.

No comments:

Post a Comment