You are here

HomeBlogslufthans's blog

Heartbleed for the desktop

Mon, 2014/04/14 - 03:03 — lufthans

Heartbleed is a recently discovered security flaw that affects millions of web servers.

Heartbleed affects enough servers that you should just change all your web site passwords. It allows theft of the server's security key, your credentials, your session with the web site and cookies that can be used to impersonate you.

Because the security certificates could be stolen, there are some extra steps.

First, apply security updates to all of your devices: computers, laptops, tablets, and phones. Be especially vigilant about making sure web browsers and mail clients have all security updates. Please do this now, I will wait while you apply the updates.

Second, be glad this was Free Software. The software can be studied and security problems can't be ignored or supressed. The bug was announced, the proof was given and the fix was immediately available.

Fourth, for each web site where you have an account either update your password or delete your account. The following task list will help you safely update your accounts.

For each web site you need to check:

  • Verify the site is not vulnerable. ( ssllabs has a test that will check web sites for you )
  • Logout of the site if you're logged in. Do this on every device that connects to the site.
  • Delete cookies for the site on whichever device will be used to reset your password. ( Firefox )
    • Delete LSOs/Flashcookies as well. Delete them on as many devices as possible. ( Firefox ).
  • Login to the web site on whichever device will be used to reset your password.
  • Change your password.
    • Use a password generator to create a new, long password. Password managers should have good password generators.
    • Use a different password for every site! When using a password manager it doesn't matter because you won't need to type the passwords.
    • Make sure to save the password manager keyfile once you add a new entry.
  • If the site has a PIN, change that as well.
    • Use a 5 or 6 digit PIN if you can.
  • If the site has security questions or anything else that can be used to authenticate, update those as well.
    • Change the questions as well as adding new answers.
    • Note the questions and answers in the site's entry in your password manager.
    • Lie. When using a password manager, there is no need to use real ( and guessable ) answers for security questions. Better yet, use random strings for the answers.
  • Check any notification mechanisms for the site to make sure only your email address, phone number, etc are in place.

Now that you've updated computers and accounts, apply security updates for anything else that is used to log into web sites: TVs, DVRs, printers, cars, etc.

Also change passwords for anything that used a password that had been used for a web site. For instance, if you log into your home or work computer using the same password as you use for a social media site, then change that password as well. This time use different passwords for each of the services.

Why does Free Software matter?

Thankfully this is Free Software. We have access to the code and proof of the bug. There was no need to wait on a vendor or project to approve us fixing it. Luckly, the OpenSSL project moved quickly to fix the bug, but that wasn't required.

The Free Software nature of the project enabled quick action. The bug was announced on April 7th. A bug fix was available April 7th. New packages were available April 7th. Tools for detecting the bug were available April 7th. 60% of the websites using a flawed version of OpenSSL had been updated by April 9th. That was millions of web sites updated in less than 48 hours.

In contrast, a couple of months ago a bug was found in a proprietary vendor's SSL implementation. The company's mobile product was fixed on a Friday. The desktop and laptop product was not fixed until Tuesday. That means customers were vulnerable and waiting 4+ days for a fix to a known and exploitable security flaw. In that particular case, everyone could have switched to Firefox, a Free Software web browser, rather than waiting :).

Bugs happen, but security flaws need to be immediately acknowledged and fixed! The security code also has to be auditable.

Use a Free Software password manager such as KeePass or KeePassX or you can't have much confidence that the password manager is secure.

Further Thoughts and Reading

May's PLUG meeting will have a presentation about online security, privacy and password management prominently featuring the KeePassX password manager.

Heartbleed information

xkcd illustrated explanation of Heartbleed

Heartbleed testing site

Heartbleed testing tools: Perl Python

Demonstration of hijacking data via Heartbleed

List of sites and whether or not they were vulnerable to Heartbleed

Commentary on the article can be made via Google+.

Group: 
PLUG
PLUG chairman
GNU/Linux
documentation