Some Frequently Asked Questions About Heartbleed

You may have heard of heartbleed the famous bug that spread the panic all over the internet world so you may have some questions in your mind which I tried to answer by doing some research which are:

What is heartbleed bug?

The Heartbleed is a bug that allows hackers to read the memory of any system using OpenSSL encryption, allowing them to retrieve server ssl private keys which includes a private master key through which attackers can decrypt current or stored traffic in server memory which is data that have been send through Secure servers by using encryptions.

This bug can also cause hackers to hack unencrypted parts of users' sensitive requests and responses, including any form data in users' requests, session cookies and passwords.

From how long this bug is present

This bug is present in OpenSSL 1.0.2-beta, as well as all versions of OpenSSL in the 1.0.1 series except 1.0.1g, so we can easily say that it can be more than two years since this bug has been existed as these versions are in use from more than two years.

What should I do?

If you are owner of secure web server you need to test your server using different online methods in which some of them are

• Qualys SSL Labs
• Filippo
• Lastpass

If you have found vulnerability you can patch it by using OpenSSL version 1.0.1g or you can recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS, which will disable the vulnerable feature.

If you are a common Internet user your area of concern would the service you use like email, social networking, Online banking facilities or any other so the chances that you may have been affected by the bug as most of famous websites which includes Facebook, Google, Wikipedia, Twitter, Yahoo, Amazon and other famous websites also got affected, although Facebook and Google have patched the vulnerability. From here you can checkout the top 1000 websites that are affected by the bug according to scan performed on April 8 by github user.

Should i change my password?

Most of the top websites have patched the vulnerability so you may get notification to change your password which you should but if you are using services which are not that famous then chances are they may not inform you that you need to change your password or they have resolve the issue, so before changing passwords on these type of sites first check the vulnerability through Online tools which I mentioned earlier, if bug is still there then changing password will be of no use so you have to wait until the bug has been fixed.