For years you have been taught that going to a website that started with http:// instead of http:// meant you were connecting to a secure website. We learned this week there has been a flaw in the security protocol that over half of all web traffic relied on. Here are ten things every lawyer needs to know about Heartbleed and how it might affect your practice.
Heartbleed is the vulnerability that was discovered in OpenSSL.
OpenSSL is the most-widely used version of SSL and and TLS.
SSL stands for Secure Socket Layer and TLS stands for Transport Security Layer. In the simplest of terms, they are protocols that are used to encrypt connections between a computer and a server.
Heartbleed – the vulnerability that was discovered in the way computers talk to each other when the connection is supposed to be secure- boils down to this: some of the information that was supposed to be secure was leaking out.
The way OpenSSL works by using something called a “heartbeat function” The heartbeat function is what keeps a secure connection alive. (That’ why you get time-out notifications after a period of inactivity on a secure site.) The heartbeat function operates by sending a message from the computer to the server and listening for the same message to be echoed back. It has been discovered that servers could be manipulated into sending back up to 64,000 characters of plain text back to a computer. Where do the characters come from? The memory of the server, and here in lies the problem: the server can be tricked into sending back up to around 64,000 characters of whatever data it happens to use – names, passwords, email addresses – pretty much anything. It’s “Heartbleed” because it’s attacking the heartbeat.
It has affected over two-thirds of the websites across the world. Worse, the flaw has existed for two years. Just to give you an idea, the sites affected included: Dropbox, Gmail, Yahoo mail, Google, Yahoo, GoDaddy. Facebook, Instagram, Pinterest, Tumblr, Twitter, & Intuit Turbo Tax.
OpenSSL is used in a variety of applications, including commercial firewalls and Virtual Private Networks (VPN).
Google Security and Codenomicon discovered the flaw. Once it was discovered, OpenSSL was notified and a fix was developed before the security flaw was made public.
It is virtually impossible to know if your data has been compromised. The prudent course of action is to change all your passwords immediately. You can check to see if the secure websites that you rely on are presently safe to use by running them through the security tool at Lastpass: http://lastpass.com/heartbleed/
If your website has a secure portal, or anything that allows a client to log on or make a secure payment, check your site at http://lastpass.com/heartbleed/ to see if it is secure. If your site needs to be patched, notify your hosting service immediately and until the site has been patched disable logins.
Check to see if the sites you use have been patched.
After the site has been patched, log in and change your password.
Don’t use the same password at multiple sites. Use a password manager service like Lastpass to generate and store passwords for you. This allows you to create strong, unique passwords for each site you visit, without having to remember them or write them down. You can read a review of Lastpass over at Lawyerist.
Use two-step verification whenever possible. This means to log in, you need something you know and something you have: so your password, plus your cell phone where you will receive a confirmation code to login. You need both pieces to log in with two-step verification. Two-step verification can also use things like fingerprint verification, or a security card scanner so there is verification that you are the one using the password you provided. Use two-step or multifactor authorization for your password manager. Lastpass supports multi-factor authorization.
It is highly unlikely anyone will be prosecuted for this. OpenSSL is open-source software. That means to code is made available to everyone, and changes can be made to the code by submitting a proposed revision that then gets reviewed. The coder that made this change acknowledges he made a mistake in his revision. The mistake was not caught by the person who reviewed his work. The change was implemented and the flaw has existed in the system for the last two years. As for those individuals who may have already exploited this vulnerability: the exploitation does not leave traceable information behind or any evidence that the flaw was exploited.