bkrtpa
Last Updated: February 25, 2016
·
674
· MidnightLightning

How to browse the internet in the days of Heartbleed

The "Heartbleed" vulnerability has changed the way we as end users need to approach browsing the internet, at least for the near future while servers are sorted out. Following the below guide will help you keep your personal information safe, and hopefully avoid any fallout like a stolen identity or wiped bank account from this exploit.

Check first

Before logging in anywhere, use a tool like Filippo.io test or Possible.lv test to check if a site is vulnerable. Try this Chrome extension to automatically check all sites as you browse, though note that because this extension requires you to visit the page to check it, if a site is compromised and you are already logged in, your session ID may be stolen; LOG OUT IMMEDIATELY!

If the test comes back with anything other than "All Good", DO NOT LOG IN; log off if you're already logged in, and proceed to the next step:

Contact the site

Check a website's Facebook/Twitter feed or contact them directly and ask "Were you vulnerable to the Heartbleed exploit, and if so, have you patched your server?"

If the answer is "No we're not patched", or whoever you're talking to sounds in any way unsure if the patch has been applied and is live, DO NOT LOG IN and try again later.

If you get an authoritative "No, we were never vulnerable" (possible if they used a version of OpenSSL prior to 1.0.1, or were using a Windows-based web server), you're good; feel free to log in and use the site.

Verify the certificate

If the Heartbleed test comes back "all good", next double-check that in addition to applying the patch, the website has also created a new certificate.

The Possible.lv test includes in its results if the certificate has been re-issued for a site, but to double-check for yourself, navigate to the site, and click the green "HTTPS" lock icon in your browser. Navigate the popup clicking "More information" or "View Certificate" or similar to get the detailed information on the SSL certificate for the site.

Find the line labeled "Issued Date" or "Not Valid Before", and ensure that the date there is April 8th, 2014, or later. If it is not after that date, contact the website and tell them them to reissue their certificate.

Password reset

If the test comes back "All Good" (or a system administrator at the company verifies the software has been patched), and the certificate has been re-issued, you are now safe to log in again. Log in and reset your password. And, if you used that password anywhere else on the internet, go repeat the process at that site too.

Epilogue

This is an onerous task, especially if you use one password at lots of sites, but due to the nature of this exploit, this is the most complete way that you as a user can minimize the risk of your identity/finances/etc. being stolen from you.

If you haven't, now would be a great time to learn to use a tool like LastPass such that you can more easily not use the same password everywhere, and audit yourself when you're using passwords that are too simple.

2 Responses
Add your response

13985

There is already Chrome extension to test websites you visit: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic

over 1 year ago ·
13986

Yes, though I don't think that extension checks the certificate date, does it? I think it just runs the site through the Flippo.io tester?

Good additional tool though, I've added it to the list of site checkers!

over 1 year ago ·