When you shop online or surf the web for pictures of cats in amusing poses, you expect that your data is (mostly) secure — especially if you take the precaution of looking for the “lock” icon that appears in your address bar. For years, we’ve been told that looking for that padlock is a good way to make sure you are on a secure site that encrypts your data.
All that changed a few days ago when a vulnerability — called Heartbleed — was found in OpenSSL, a protocol used to encrypt massive amounts of data on the Internet. Now it appears that the vulnerability has been leaking out data since early 2012, and your “secure” information might not be so secure.
What is Heartbleed?
The security vulnerability in Heartbleed allows someone to grab 64 kilobytes from a server’s working memory. The data is random, so whoever gets it doesn’t know what it will be, but it could be your login information, or some other sensitive data — like your credit card number — that you don’t want “out there” and in the hands of the unscrupulous.
Some estimates put the use of OpenSSL at about 60 percent of the web. That’s a pretty large percentage of sites using the protocol. It’s opensource, hence the appeal to many developers. The flaw has been fixed by the OpenSSL people, so going forward, it shouldn’t be a problem for new sites that use the protocol.
However, sites that used OpenSSL for encryption prior to the fix are responsible for swapping out the “lock” for a new one. Some sites are slower than others at moving on this. If you are concerned about your data, you can stay off the Internet — or you can use one of the helpful (and secure) web apps designed to check for Heartbleed vulnerability. Filippo Valsorda offers an app that allows you to enter the web site in question and see if it’s still vulnerable.
Protect Your Information Online
While there is no way to completely avoid identity theft, you can take steps to protect yourself. And that applies to beefing up your own online security in the wake of Heartbleed. Here are some of the steps to take now — and in the future — for better online security:
Change your passwords regularly: First of all, once the sites you use regularly have fixed their Heartbleed issues, you should change your password immediately. Once that is done, it makes sense to change your password every few months.
Use different passwords for different accounts: Avoid using the same login information for multiple accounts. Many hackers obtain information for one account, and then use it repeatedly on “high value” targets like bank sites, since many consumers use the same password for multiple accounts. Tools like LastPass and 1Password can help you store multiple passwords in one encrypted place so that you don’t have to try to remember them all.
Be careful of your public Wi-Fi behavior: Don’t surf anywhere particularly sensitive while using public Wi-Fi. Even leaving Heartbleed out of it, these networks aren’t usually very secure, and checking your banking information or doing something similarly sensitive on these public networks is usually a bad idea.
You should also make it a point to monitor your credit report going forward. One of the best ways to check to make sure someone hasn’t stolen your identity and used it to open fraudulent accounts is through regular credit report checks. You can sign up for credit monitoring, use free credit sites like Quizzle.com, which offers Identity Theft Protection for account holders, and make use of AnnualCreditReport.com for the free report you are entitled to by law.