Blog — Tips and Tricks from the Mac Zen Team

The Heartbleed Bug—What you need to know and do

heartbleed-xkcd-hed 580-0

Heartbleed is a flaw that was discovered in the way secure transactions are handled between a client computer (yours), and a server (a corporation’s webpage serving computer). This flaw affected approximately two-thirds of the world’s web servers running OpenSSL—an open source security software library, and in the days since it’s announcements, the vast majority have now been repaired.

XKCD—a webcomic targeted toward technophiles has a nice little comic that explains how the Heartbleed bug works. It would be as if a major door lock manufacturer came out and said “All of our locks have a fundamental flaw that has been unnoticed until now. We have no way of knowing whether anyone has exploited this flaw, but it’s possible (but not probable) that someone has the key to get into your house, and they may or may not have done so already."

The analogy ends with the fact that the problem has been repaired (a lock company doesn’t have the luxury of replacing millions of door locks in a few days). It’s uncertain whether any information was taken, but the consensus is that it’s time to change all of your passwords.

My inclination is to suggest that there is no need to panic, but don’t procrastinate either. Take the time to go through your most important accounts, login and change your password. As I mentioned there is little evidence that any data was stolen during the time that the flaw went undiscovered/unpublished. It’s highly unlikely that *you* in particular were affected, but due diligence however requires that you “change your locks” regardless.

For those of you tormented by Apple ID’s and passwords for iTunes and iCloud, fear not, Apple’s servers were among the many not affected by this flaw, so you can skip on that if you wish. If however you use the same email address and password for other accounts like Facebook or Gmail, you may want to update your Apple ID too. If you wish to update your Apple ID, do so at Manage Your Apple ID

Most password changes can be done by logging in to the service and finding the “my account” link. In many cases, you can always click on the “forgot password” link and a password reset link will be emailed to you. Naturally for the latter, you must have a current email address associated with the account.

Many service providers have put up a form that allows you to test a webserver for the heartbleed flaw (say www.facebook.com for example). One such site is http://heartbleed.hostgator.com

You may download a form I’ve created to help you organize getting all of your passwords updated. I’ve listed at the top a few rules to go by when you’re changing them.

Some other useful links on the subject: