This website stores cookies. Click here to accept them.cookie information page

How Does Heartbleed Affect me?

11th April 2014
Categories: heartbleed, security

It's understandable if you're confused about what you need to do to protect your information from the Heartbleed Bug due to conflicting advice you've heard from various sources. When the news of the Heartbleed was released to the public on Monday 7th April the majority of field experts declared it as disaster and advised the public to immediately change all their passwords. Later many of them took back this advice, and instructed people to wait a few days until software had been patched. Some websites claim they were unaffected.

heartbleed logo

So, is the bug serious? Yes, but only certain websites are affected - according to the internet security service NetCraft, around half a million websites will be affected - those which use 'OpenSSL certificates' issued from the 17% of OpenSSL servers which use the TLS 'heartbeat' extension. An OpenSSL certificate is a small data file which links an encrypted key to an organisation's details. Sites with secure connections are those where the padlock symbol is shown in the left-hand side of the url bar and where the 'http' changes to 'https'. They are used to make secure card payments, for data transfer, logins and for secure browsing.

The heartbeat extension was introduced in 2011 and basically works as follows:

1) The heartbeat program can ask the server to send back a short burst of information, or 'heartbeat', to check whether it's still 'alive' and functioning. This is normally a short string of characters e.g. the word 'house'.

2) If the server is indeed functioning, it will return the string of characters. If it is unable to find them, there is a chance something is wrong (e.g. the website is down) and action can swiftly be taken.

Heartbleed works by exploiting the fact it's possible to lie about the amount of information you can retrieve back from the server, which can be up to64 kilobytes of memory. However, anyone who launches an attack on a website using the Heartbleed vulnerability will not be able to control which data they receive from the server i.e. it could happen to contain sensitive user credentials. As it is virtually impossible to trace whether sites have been affected, and what data has been harvested, sites which would have been vulnerable during the 'window' of time the code was in place will require you to change your password.

No one knows for certain whether anyone knew about this weakness in OpenSSL software before the news became public, although possible traces of Heartbleed usage have been found and most experts think it 'unlikely' no one has spotted the weakness since heartbeat was introduced.

So What Should I Do?

Once an affected site has been 'patched' to protect it from the Heartbleed vulnerability you should change your password to protect your sensitive data. There will be no point in changing it before-hand as it's still possible for your information to be collected, especially now the news of the software weakness has been made public. Many major companies were informed by Google about the bug before news broke publicly to allow them time to patch. Below is a selected list published on the BBC News Pages of well known websites which could be affected, and what each company's advice is on whether changing password is necessary:

Website Name Affected by Heartbleed? Patch Implemented? Should Password be Changed?
 Amazon  No n/a

Only if same password used

on a vunerable site

 Apple  Unclear  Unclear  Unclear
 Barclays  No  n/a Only if same password used

on a vunerable site

 eBay  No  n/a Only if same password used

on a vunerable site

 Evernote  No  n/a

Only if same password used

on a vunerable site

 Facebook  Yes  Yes Yes
 Google/Gmail  Yes Yes  Yes 
 HSBC  No n/a Only if same password used

on a vunerable site

 LinkedIn  No n/a Only if same password used

on a vunerable site

 Lloyds No  n/a  No
 Microsoft/Hotmail/Outlook No  n/a Only if same password used

on a vunerable site

 PayPal No  n/a  Only if same password used

on a vunerable site

 RBS/Natwest No  n/a Only if same password used

on a vunerable site

 Santander No  n/a Only if same password used

on a vunerable site

 Tumblr Yes  Yes  Yes 
 Twitter No  n/a Only if same password used

on a vunerable site

 Yahoo/Yahoo Mail  Yes Yes  Yes 

n.b. Banks and other websites which multiple levels of security (e.g. card readers) are far more likely to have remained secure.

For Oxford Web Clients

If you are worried about your own websites which were produced by us being compromised, we have the following advice for our clients:

  • if you don't have an SSL certificate then your website will not be affected.
  • if there is a chance your website has been affected we will contact you and advise you further.

In the meantime, several online tests have been engineered to test your server for weakness. You can try them out yourself here and here.


Add your comment for "How Does Heartbleed Affect me?":

© Alberon Ltd 2017

8 Standingford House
26 Cave Street
Oxford
OX4 1BA

01865 596 144

Oxford Web is a trading name of Alberon Ltd, registered company no. 5765707 (England & Wales).