Heartbleed SSL Encryption Flaw: 10 Ways to Minimize the Threat

By Don Reisinger  |  Posted 2014-04-10 Print this article Print

A new major security issue is affecting Web users, and it's unclear just how bad it might get. The vulnerability, known as Heartbleed, affects a variant of the Secure Sockets Layer/Transport Layer Security encryption technology, known as OpenSSL. It allows hackers to breach Web servers, networks and anything else "protected" by the technology—and to steal information. What's worse, it's believed some of the largest Websites are vulnerable, including Yahoo. Tumblr confirmed that it was vulnerable, but has implemented a fix. Although a fix is available, the flaw is still a huge security concern that has yet to be addressed worldwide. That leaves users without the protection they need, and puts the average person at risk of losing sensitive information, having financial data stolen, or worse, seeing private identity data such as social security numbers, stolen. Some experts believe the vulnerability extends to more than 500,000 Web servers, meaning millions of sites are vulnerable. Consumers and enterprises are understandably asking what they can do to protect themselves. There isn't much that can be done to fully insulate Websites and users from Heartbleed, but there are ways to limit the flaw's impact.

  • Heartbleed SSL Encryption Flaw: 10 Ways to Minimize the Threat

    by Don Reisinger
    1 - Heartbleed SSL Encryption Flaw: 10 Ways to Minimize the Threat
  • Know the Affected Sites and Steps They're Taking

    It's estimated that the Heartbleed flaw has affected at least 600 of the world's most popular 10,000 sites. Millions more of lesser-known sites are also affected. The first step in staying secure in the face of the threat, therefore, is knowing which sites are most at at risk and staying up on when and how they've addressed the issue.
    2 - Know the Affected Sites and Steps They're Taking
  • Don't Log In to Any Affected Sites

    While it's impossible to keep track of all the potentially affected sites, it's advisable to not even consider logging in to them until those companies know for sure that their servers are safe. Upon logging in to the systems, the servers are pinged and it's possible hackers will take notice and steal sensitive information. Stay away. Stay far, far away.
    3 - Don't Log In to Any Affected Sites
  • Don't Trust the All-Clear

    Some sites have said that they have addressed the problem, only to turn around and discover that their "fixes" were only partial. Although some sites might give the all-clear, it's a good idea to wait and see over a period of a few days after that to determine if that's actually true.
    4 - Don't Trust the All-Clear
  • Be Careful About Browser Cookies

    There are some indications that the Heartbleed flaw extends to Web browsing. According to security experts, the flaw can track surfing cookies. So, in addition to logging into sites, folks that even go to affected pages might fall victim to the threat through the cookie flaw. The Imgur Website recently acknowledged the cookie flaw to the news media, saying that it invalidated tokens on cookies "to be on the safe side."
    5 - Be Careful About Browser Cookies
  • Prepare, but Don't Immediately Implement, New Passwords

    Heartbleed has also brought to the fore the question of password security. Now that we know that sites might have been compromised and user data stolen, companies are urging users to reset their passwords. However, until you know for sure that the particular site is out of the woods and fully secure, don't actually change the password. After all, if the site is still vulnerable, the new password will be stolen.
    6 - Prepare, but Don't Immediately Implement, New Passwords
  • Embrace Two-Factor Authentication

    Much has been made about the inconvenience of two-factor authentication, but it's high time more people and companies embrace the idea. Two-factor authentication means that in addition to logging in to a site with a username and password, users would need to verify their identity through another product. In many cases, that means sending a code to a mobile phone on file. Two-factor authentication isn't a security panacea, but it helps improve overall security.
    7 - Embrace Two-Factor Authentication
  • Stay Away From Small Sites

    Although Heartbleed is starting to become more known in the security community, there's a good chance that small businesses affected by the flaw won't know anything about it or won't know how to deal with it. Realizing that, it might be a good idea to contact local small firms you do business with online to see if they're affected. If they don't know, keep away. If they say yes, wait for them to verify their security. Big companies tend to move far more quickly on these kinds of flaws than smaller firms, so keep that in mind.
    8 - Stay Away From Small Sites
  • Apply Pressure on Web Companies to Set Things Right

    One of the great things about the Web is that the collective efforts of its users can institute change in companies. That's especially the case when security issues affect users. So, rather than sit back and wait to see what happens, consider speaking out on forums, heading over to Reddit to join the people worried about this flaw, and send notes directly to companies through email and social media, urging them to quickly address the security problems. Heartbleed is a major issue that must be addressed now.
    9 - Apply Pressure on Web Companies to Set Things Right
  • Stay Up on the News

    The worst thing to be is uninformed whenever security issues break out. Be sure to stay up on the news surrounding Heartbleed and see if anything has changed, gotten better or become worse. The more the average person knows about a particular security flaw, the less likely they are to be affected by it. Keep that in mind.
    10 - Stay Up on the News
  • Stay Off the Web for a Few Days if Possible

    Some security experts have taken the concern over Heartbleed a step beyond the standard recommendations. Those experts have suggested that users stay off the Web for the next few days to see how Heartbleed's discovery plays out and how companies respond. The very act of being on the Internet puts users at risk, those experts say. So it's better to keep away than try to dance around the potentially dangerous sites. It might sound severe, but it might also make some sense.
    11 - Stay Off the Web for a Few Days if Possible

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Thanks for your registration, follow us on our social networks to keep up-to-date
Rocket Fuel