What to do about Heartbleed as a normal (non-geek, non-tech savvy) person

April 13, 2014 · by Ben Mobley · in Computers and Internet, Exploits, General Security, News and politics, Security, Technology, Vulnerabilities

No doubt by now you are aware of the aptly named ‘Heartbleed’ vulnerability that affects SSL, the ubiquitous ‘padlock’ encryption used by many internet servers to protect communications between your browser and their websites. Heartbleed is probably making your heart sink. The media, rightly so for once, has made a big thing of Heartbleed and how scary it actually is. But the advice given out has been pretty confusing for most people and could probably be summed up as ‘Change your passwords. All of them.’

While this is, in theory, good advice it may not be that practical. I do, however, urge you to change your passwords anyway if you can. Most users don’t do this often enough anyway so this is a good time to take the opportunity and start following best practice. While you’re at it, try to make your new password secure. OWASP recommends a minimum 8 character alphanumeric password although both NIST and the US DoD have more stringent requirements. See these PDFs if you’re interested in single sign-on password security: draft-sp800-118 and 852003p

More useful though, if you are using Firefox (and if you’re not, why not?), is a plug-in released today. The free add-on for Mozilla Firefox that checks websites for vulnerability to the Heartbleed flaw was written by Tom Brennan, founder of ProactiveRISK and you can get it here. The browser plug-in provides simple colour coded warnings for websites that you check: Red means the site is vulnerable to Heartbleed. Green means…well, pretty obvious really. There is a yellow warning for sites that may be vulnerable.

“Like a traffic light on the Internet, it is the users’ responsibility to be proactive about risk in addition to the sysadmin defender working hard every day to put out the fire of the day,” Brennan says. “The code is open-source and a donation to the community and maybe it will stop the phone calls from users asking for suggestions to something they don’t control.”

A similar tool for Chrome was released yesterday by developer Jamie Hoyle. The Chromebleed Checker add-in for the Chrome browser also warns users of Heartbleed-vulnerable sites.