Heartbleed – the reason you need to update your passwords
Heartbleed is a vulnerability in the OpenSSL encryption code that is used by two-thirds of all websites. A popular method of encryption because it is open source and freely available, OpenSSL ensures your private information is securely transferred to the web servers you use. But Heartbleed, discovered on Monday by a Google engineer, results in those web servers passing on more information than they should when given the right type of request. While many of the sites affected will be patched by now, it’s still important to change your passwords on any sites impacted because your details may have been compromised.
It appears Freshbooks avoided disaster. The Toronto-based cloud accounting software learned about the Heartbleed vulnerability early on, and deployed its fix by 8:00 PM ET on Monday, according to a blog post from CEO Mike McDerment. The advice its giving to users is to consider changing your password, especially if you were using the site between 1:00 – 8:00 PM ET on Monday or if you use the same password for several websites.
Rogers/Yahoo webmail
While Rogers.com wasn’t impacted by Heartbleed, its webmail provider is Yahoo, and Yahoo was impacted by the vulnerability. Yahoo implemented a fix to the problem shortly after the issue became known, so if you are a user of Rogers/Yahoo web mail services it would be wise to go in and change your password. Even though the problem was fixed quickly, it’s possible the vulnerability was exploited by hackers prior to the fix, accessing your account password. Plus, a password change is easy to do and can’t hurt.
Some Telus sites
Sun News Network
On a University of Michigan list of the top 1000 vulnerable domains affected by Hearbleed, the only dot-ca site mentioned is sunnewsnetwork.ca. As of time of publication, testing the domain shows that it is still vulnerable. One area where personal information could be at risk is the “Sun Force” form submission. The Sun encourages readers to sign up to send in breaking news photos and videos, collecting first and last names, phone numbers, email addresses, but no passwords.
BBM for iPhone and Android
BlackBerry released a statement that it is investigating the Heartbleed vulnerability, but it can confirm that BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 are not affected. What is affected is its BlackBerry Messenger app on the iOS and Android platforms. BlackBerry says there are no mitigations or workarounds (i.e. no way to solve the problem) at present.
Shopify
E-commerce services provider Shopify says its customers are safe from Heartbleed, but it’s not a bad idea to update your passwords anyway. When Heartbleed became a known issue on Monday, Shopify’s network security and operations team went to work to update its hosting infrastructure and had a fix rolled out by 7:00 PM ET. All secondary systems were secured by midnight. Overnight, all keys and certificates were re-issued. Shopify suggests updating credentials like passwords, payment gateway, and API keys as a precaution.
Other sites affected
Of course there are a long list of affected domains that are not Canadian-based that will be used by many Canadians. Some of the web’s most popular destinations including Facebook, Yahoo, Tumblr, Pinterest, Google, and more are effected. Check out Mashable’s list and you can check out any website you like using this online tool or use this Chrome browser extension. If you are a web admin and want to make sure you’ve secured your site against Hearbleed, follow Claudiu Popa’s guide from his blog post hosted on ITBusiness.ca.