You may have seen over the past week that the Heartbleed Bug has been making headline news, not just in the tech industry, but globally at every level of interest. It highlights how we are all increasingly connected to the web and dependant upon the levels of security that are available to us.
The bug in the OpenSSL Cryptographic Software allowed those with the right ‘knowhow’ to gain access to the memory of systems protected by this web standard security layer. Once identified and made aware of, a fixed patch became available and systems around the globe began the process of updating to the newest versions available for their platform. Once that was done, new SSL Certificates were required and all previous certificates revoked.
All our servers were updated to the very latest version of OpenSSL as the news was breaking, ensuring there is no current vulnerability. We also make use of the CloudFlare SSL service for all eCommerce sites we run and manage. CloudFlare were ahead of the game when it came to the Heartbleed Bug and they fixed the vulnerability a week before the bug was announced.
So how does the Heartbleed Bug affect me.
If you wish to go ahead and change any passwords for email accounts you have with us, you can safely go ahead and do that. In many cases though, this is not necessary and before you change your passwords with other organisations, you should make sure they have actually fixed the problem first. You can check out if a site is affected here https://filippo.io/Heartbleed/
Since our Security Certificates have been updated, some customers have reported issues when trying to send emails. This is because their computers have stored a copy of the server’s Security Certificate locally on their machine. This needs to be removed so the new certificate can be downloaded successfully.
Mac Users – Go to spotlight in the top right of your screens (The little Spy Glass icon), Search for the Keychain Access application and in the list of certificates, you will find one that relates to your mailserver. Right click it and select delete.
Windows Users – Go to Windows Control Panel, select User Settings and then Manage your credentials. Check for any certificates that match your mailserver and remove them.
Now, when your email client attempts to connect to our mailservers, it will be required to download the latest certificate and all will be well. It’s also worth mentioning that this technique will solve the same problem for those of you who have their email services provided by other vendors and are experiencing this issue. We’re glad to have been of help to you as well.
Did Heartbleed teach us anything
One thing we can learn from this, is how important things like having a secure and individual password for each login we create is. Now is as good a time as any to review your password and login credentials for every site you access. This can seem a mammoth task and remembering passwords can be a nightmare. But fear not, there are great applications out there that make this much easier to handle.
Programs like LastPass and 1Password have this all in hand and neither of these companies were affected by the recent Heartbleed vulnerability. In the example of 1Password, as well as having a Desktop application to manage not only all your login details for every site you visit, there is also a handy web browser plugin that enters your information into a page of your choice in a single click. They also have mobile applications so all your secure details travel with you and are protected behind a single master password of your choice. This way, you only need to store a single password in your head and so this can now be more complex than the usual poor excuse for a password we come up with.
These applications will also generate complex passwords for you, made up of various combinations of letters, numbers and obscure keyboard characters. The brilliant thing is that they can be as crazy looking as we like, as we’ll never have to remember them, let alone type them.
So whilst we probably don’t all need to rush around changing every password we’ve ever created, now is as good a time as ever to consider how good we think our password strategy really is and to start making use of great applications than can help us stay safer on the web.