The Heartbleed Encryption Bug: What You Need to Know and How to Protect Yourself
Apr. 09, 2014
By now you've likely heard the news about the Heartbleed bug. The reason this bug is getting so much press is that it exploits a vulnerability in OpenSSL, an encryption method used by more than half of the websites you log into on the internet. Your web browser displays a little padlock beside the URL when you access a secure site, like your bank, that uses OpenSSL.
It's important to keep it in perspective that while Heartbleed was just announced, this security flaw has been around for 2 years. Just because a service was vulnerable doesn't mean the vulnerability was leveraged.
CIT is currently working to identify which, if any, Oberlin services are vulnerable to attack. If any web servers are found to be vulnerable to the Heartbleed bug, CIT will quickly apply the necessary patches to update these systems. At present, there is no need to change the password for your ObieID or any other Oberlin College service. We will alert you if it becomes necessary to take additional action.
Many off-campus web services (e.g., Facebook, banking services, GMail) you use may be vulnerable, and you may be getting emails from those services, requesting you change your password. When this occurs, it's important to remember the following:
- Don't click on any links in the email. Phishers may use this opportunity to catch users with their guard down. Change passwords by going directly to the websites. For example, if Dropbox sends an email saying, "We've patched and are asking you change your password now", you should open a browser, go directly to the website you know and trust and change the password there.
- Don't change your password before a web service indicates you should do so. Until a service is patched and they update their certificate, your password will remain vulnerable, even if you change it. Wait until a company lets you know that their services have been patched before going ahead and changing your password.
Unfortunately, there's no easy way to identify if a site is vulnerable and no immediate action to take. Be on high alert for suspicious activity, change your passwords often, and always do so promptly when urged to by websites with whom you have an account. Please contact the CIT Help Desk at x58197 or firstname.lastname@example.org if you have any questions.
The ‘Heartbleed’ Bug and How Internet Users Can Protect Themselves, The Chronicle of Higher Education
Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug), Google Online Security Blog