Heartbleed SSL Encryption Flaw: 10 Ways to Minimize the Threat

by Don Reisinger

It’s estimated that the Heartbleed flaw has affected at least 600 of the world’s most popular 10,000 sites. Millions more of lesser-known sites are also affected. The first step in staying secure in the face of the threat, therefore, is knowing which sites are most at at risk and staying up on when and how they’ve addressed the issue.

While it’s impossible to keep track of all the potentially affected sites, it’s advisable to not even consider logging in to them until those companies know for sure that their servers are safe. Upon logging in to the systems, the servers are pinged and it’s possible hackers will take notice and steal sensitive information. Stay away. Stay far, far away.

Some sites have said that they have addressed the problem, only to turn around and discover that their “fixes” were only partial. Although some sites might give the all-clear, it’s a good idea to wait and see over a period of a few days after that to determine if that’s actually true.

There are some indications that the Heartbleed flaw extends to Web browsing. According to security experts, the flaw can track surfing cookies. So, in addition to logging into sites, folks that even go to affected pages might fall victim to the threat through the cookie flaw. The Imgur Website recently acknowledged the cookie flaw to the news media, saying that it invalidated tokens on cookies “to be on the safe side.”

Heartbleed has also brought to the fore the question of password security. Now that we know that sites might have been compromised and user data stolen, companies are urging users to reset their passwords. However, until you know for sure that the particular site is out of the woods and fully secure, don’t actually change the password. After all, if the site is still vulnerable, the new password will be stolen.

Much has been made about the inconvenience of two-factor authentication, but it’s high time more people and companies embrace the idea. Two-factor authentication means that in addition to logging in to a site with a username and password, users would need to verify their identity through another product. In many cases, that means sending a code to a mobile phone on file. Two-factor authentication isn’t a security panacea, but it helps improve overall security.

Although Heartbleed is starting to become more known in the security community, there’s a good chance that small businesses affected by the flaw won’t know anything about it or won’t know how to deal with it. Realizing that, it might be a good idea to contact local small firms you do business with online to see if they’re affected. If they don’t know, keep away. If they say yes, wait for them to verify their security. Big companies tend to move far more quickly on these kinds of flaws than smaller firms, so keep that in mind.

One of the great things about the Web is that the collective efforts of its users can institute change in companies. That’s especially the case when security issues affect users. So, rather than sit back and wait to see what happens, consider speaking out on forums, heading over to Reddit to join the people worried about this flaw, and send notes directly to companies through email and social media, urging them to quickly address the security problems. Heartbleed is a major issue that must be addressed now.

The worst thing to be is uninformed whenever security issues break out. Be sure to stay up on the news surrounding Heartbleed and see if anything has changed, gotten better or become worse. The more the average person knows about a particular security flaw, the less likely they are to be affected by it. Keep that in mind.

Some security experts have taken the concern over Heartbleed a step beyond the standard recommendations. Those experts have suggested that users stay off the Web for the next few days to see how Heartbleed’s discovery plays out and how companies respond. The very act of being on the Internet puts users at risk, those experts say. So it’s better to keep away than try to dance around the potentially dangerous sites. It might sound severe, but it might also make some sense.