Engineer's Corner
1:11 pm
Thu April 10, 2014

TheEC: Heartbleed and Donations to RIPR

The big news in computing this week is Heartbleed, a serious security problem with secure websites.   Specifically, it's a two-year-old bug in the near-ubitiquous OpenSSL (Secure Socket Layer) protocol...most commonly recognized when there's a "https" (instead of "http") at the beginning of a website address.

It's a big problem, and I'll explain why in a second, but first I wanted to let everyone know that the RIPR donations website is secure and never was vulnerable to Heartbleed.   They use a hardware-based implementation of SSL, not OpenSSL.

So if you have donated or plan to donate to RIPR, you have nothing to worry about in regards to Heartbleed and that donation.  Whew!

So what's the big deal?  It's not just that it's a bug, it's that it's a bug that's been able to be exploited for nearly two years.   And one that individual users can't do anything about; this was all on the server end.  The bug means that all sorts of information, including usernames and passwords used on OpenSSL-secured websites, could be stolen by third parties.   That's a potentially HUGE scope of operations.   Or maybe not.  Nobody really knows for sure, and there's no way to know for sure.   

Worse still, people tend to use the same, or similar, passwords for lots of different logins.  Hey, we're only human, so I don't judge.  It is what it is.   But it means that if your password was compromised at any one Heartbleed-affected site, there are data thieves out there smart enough and advanced enough to use that password on lots of other sites, too.

As a result, basically, everyone needs to change all their passwords.  ALL of them.   And soon.  Maybe not quite immediately, since not every site has fixed/patched the bug yet, and changing your password on an unpatched site just means you compromised your new password, too.   Here's a handy tool you can check your favorite sites with:  http://filippo.io/Heartbleed

But you should do it soon: over the weekend of April 12th and 13th at the latest.

And don't be skimpy; change ALL your passwords.   For everything.   Computer logins, Gmail/Yahoo/Outlook/etc, PayPal, online banking, newspaper logins, Facebook, Twitter (even though Twitter was cleared), Amazon, NewEgg, any other online shopping...anything that requires a password?  Change it.

What should you use as a password?   Well, there's the standard guidelines for such things, but I'm more a fan of this method (which is perfectly valid!), and you might use this website to help generate such passwords for you.