Heartbleed is a recently discovered vulnerability in a very commonly used library of encryption.
Encryption is the process of 'hiding' data that needs to be secured from prying eyes, such as passwords and credit card details.
Basically, any website or service you use that requires a logon could possibly be using encryption, and is then very likely to be using the library that is vulnerable. Also, anywhere you enter credit card details will definitely be encrypted.
So any sites you visit that use https:// in the address are possibly vulnerable. (There are other service types that use this encryption as well, like VPNs)
THE IMPACT: Any time you have used a site with encryption, the data you sent across that secure channel could possibly have been 'sniffed' out - in other words, intercepted during transit between you and the website you were accessing. If that was the case, someone could have a copy of that data, and this would likely include passwords and credit card details. This is what the 'sniffers' would be ultimately seeking out, in any case.
So if you have at some time in the last 2 years used a website to transmit credit card details, or you have logged in to a service somewhere, then it is POSSIBLE that someone has those details.
HOW DO I KNOW WHAT SITES OR SERVICES WERE AFFECTED?: You won't, necessarily. You would have to ask the administrators of the service in question. It's probably safe to assume that all services were affected (although this is not true, just precautionary).
You can check to see if a service you use is affected right now, however, using this tool:
WHAT YOU SHOULD DO: Changing passwords is ultimately going to be required to ensure that any of your accounts remain secure. BUT because some services may not have patched their servers agaist this exploit, the password change you perform COULD be 'sniffed' also.
The best thing you can do right now IS to change your passwords, but you should be prepared to change them again on a regular basis (weekly would seem reasonable), at least until you are sure each service
you use has been patched. IN FACT, any good IT guru will tell you that you should be changing your passwords regularly any way :) Let this be a lesson to us all!
NOW IS A GOOD TIME TO LEARN TO PRODUCE SECURE PASSWORDS!
If you're going to go to the trouble of changing passwords, you may as well take the time to make and memorise something secure.
There are just a few simple guidelines you should follow to create secure passwords, and while this won't protect you from something like Heartbleed, it will prevent other types of attacks from being effective against your accounts:
So to assist with remembering your passwords, you can use a system like the following:
That password is pretty secure, but also simple to memorise.
You can use something like this website to check the strength of your passwords. Keep in mind, this site is pretty thorough in it's diagnosis. The above password gets a score of 64%, which doesn't sound all that high, but it's measuring on a pretty large scale. If the 'complexity' is strong, and you have followed all of the above suggestions, you should be secure:
ANOTHER NOTE ABOUT PASSWORDS: You should avoid using the same password over and over again. It's a good idea to develop several password and assign them to different 'levels' of security.
LEVEL 1: Use one password for things that are not all that sensitive to you - stuff that will not have a huge impact on your life should someone get access to it.
LEVEL 2: Use another password for things that are a little more sensitive, but which would not impact you too badly should someone steal it.
LEVEL 3: And finally, designate another password for the stuff you really care about. You should probably have several of these.
A NOTE ABOUT CREDIT CARD DETAILS: If you're concerned, call your bank and get a new card. You should probably also review all your statements for the last 2 years to check for any unknown transactions.
A NOTE FOR WEBSITE OWNERS: If your website uses SSL, you may wish to consider re-generating your private keys and then a new Certificate Signing Request (CSR), and ultimately get a new certificate and install it.
If you have any concerns, please feel free to contact us.
(including basic contact form, basic image gallery, modified template, favicon)
- from $800
Basic Website + More Customisation
(including basic contact form, basic image gallery, highly modified template, favicon)
- from $1500
Your Own Fully Custom Design
We can apply your own design to Joomla!
- from $2200
Our Custom Design
We can also design for you
- from $2800
Scan me into your phone