There’s been a lot of information on the heartbleed SSL bug lately since the vulnerability was first exposed earlier this month. While a lot of this information is relevant, there is also a significant amount of information that is only partially correct.

When it comes to the heartbleed vulnerability, the real question is, should you be worried at all and if so, how much and what you should do about it. My experience with SSL protocols, including the OpenSSL library, coupled with a relatively less hectic Sunday afternoon prompted me to write this Q&A to address that very question.

So what’s the vulnerability all about?

Essentially heartbleed is a vulnerability in the open-source OpenSSL cryptography library that can be used to reveal sensitive information that is otherwise deemed to be protected. Now before you jump into this you need to understand what the OpenSSL library is and how it’s implemented.

What’s OpenSSL and how does it relate to the heartbleed vulnerability?

OpenSSL is an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements the basic cryptographic functions and provides various utility functions. OpenSSL is used to create the SSL certificates that are used by websites to secure that communications between you, the client and the server. OpenSSL can also used to be used to create your own self-signed certificates that are generally deployed internal applications. Since the heartbleed bug is part of the OpenSSL library, any implementation of OpenSSL for SSL and TLS makes it exposed to this vulnerability.

What’s with the name, Heartbleed?

Narrowing things down further, the bug exploits a computing protocol, the heartbeat protocol which is generally used to negotiate and monitor the availability of a resource. It is an extension to the TLS protocol used by the OpenSSL library. So essentially the heartbleed vulnerability lies within the heartbeat extension implemented by the TLS protocol. Hence the name: Heartbleed.

Is this fixed now?

The short answer, Yes. The OpenSSL library has been patched for this bug the day the heartbleed vulnerability was made public on 7th April 2014. So any implementation of OpenSSL that uses this patched version should not be impacted by the heartbleed vulnerability. However it is up to that websites and applications that use OpenSSL library to implement SSL to ensure that they are using the newer patched version of the library. As these websites continue to fix this by using the patched version of OpenSSL, most have them have been sending out communications to their users.

How am I impacted?

There are a few sites listing out the websites and services that impacted by the heartbleed vulnerability. That can be the starting point to determine if you are impacted or not. However even if not all of the sites that you use are impacted, you should still consider yourself as being potentialy impacted. The reason, even if you use one of the impacted sites and you share your userID with other sites, it does not take rocket science to pull out information related to that userID from other sites even if those other sites are not directly impacted by the heartbleed vulnerability.

What should I do immediately?

For now, audit all your user accounts starting from one of the lists mentioned above. Update your passwords periodically. At least do them once now. Avoid keeping common passwords as much as possible.

What should I do next?

Well, just the basics of security. Make sure you regularly audit your passwords. Never use common passwords and avoid common userIDs for multiple sites. Use a password vault to manage your passwords. You can either use cloud based vault like lastpass or if you are not afraid of the command line you can implement a more secure and flexiable vault using the UNIX password manager utility ‘pass’. If you do use a cloud based vault, be sure that you enable two factor authentication. Creating a new account? Spend sometime to verify the kind of SSL implementation they have and if they are using the patched OpenSSL library.