Using a Mac Does Not Make You Safe from Heartbleed

If you’ve watched the news or been on the Internet this week, you’ve undoubtedly heard about the Heartbleed bug, which allows hackers to access data that is otherwise securely encoded. How? By hijacking the SSL encoding software itself!

secure https connectionAny time you visit a website with an https: prefix or see that secure lock icon on your browser, some type of security software is busy trying to protect your data. In most cases, it’s OpenSSL, and until this week, the Heartbleed bug was part of the code for version 1.0.1 through revision f and the beta of version 1.0.2 through revision beta1.

Heartbleed logo

The bug was introduced to OpenSSL on New Year’s Eve 2011, and it went undetected until now. Experts estimate that two-thirds of all “secure” sites have had the Heartbleed door open until this week. OpenSSL 1.0.1g and 1.0.2-beta2 are safe, and by now most websites have updated to these safe versions.

Macs and iOS Users Are at Risk

You may have seen headlines trumpeting that Mac OS X and iOS are safe from Heartbleed, but what most of those articles don’t clarify is that they are only safe when used as servers, and then only if you haven’t upgraded to a bug-ridden version of OpenSSL. (The version of OpenSSL Apple includes with OS X predates the Heartbleed bug.)

Everyone who uses a browser or other app to access a website using buggy versions of OpenSSL is at risk. Everyone. Whether you’re running Mac OS X 10.9, Mac OS 9, Windows XP, iOS 7, Android, Linux, Windows 8.1, or anything else doesn’t matter. The bug is on the server, not on your computer.

Should I Change My Password Now?

Almost everyone has issued blanket pronouncements that you should change your password immediately. Permit me to give the contrarian view.

Until a site using OpenSSL has been updated to a safe version, you are putting yourself at risk every time you log into that server. This is not the time to change your password, as the bug still makes it possible for hackers to harvest your ID and password.

Instead, you should avoid visiting sites that haven’t updated and only change your password on sites that are bug-free.

LowEndMac.com is one of those safe websites, but not because we use a safe version of OpenSSL. Our site is safe because we don’t provide a secure login. Kind of counterintuitive, but with this bug, sites that don’t use SSL at all are more secure than those using a buggy version of OpenSSL.

Test, Then Change

To find out if a “secure” website (https:) is safe, go to http://filippo.io/Heartbleed/ and type in the domain name. If the site has a buggy version of OpenSSL, it will tell you. If the site has a secure version of OpenSSL, it will tell you. If it says “something went wrong”, the site probably doesn’t bother with security.

If you use Google’s Chrome browser, the Chromebleed extension will warn you when visiting a site with the Hearbleed bug

Update: LastPass has developed its own site checker at https://lastpass.com/heartbleed/ and seems to have more helpful notes.

Once a site passes the Heartbleed Test, go ahead and log in – and now it’s time to change your password. We suggest you use strong new passwords for each site.

Password Strength

A strong password should be at least 8 characters long and can include numbers, upper-case and lower-case letters, and “special” characters (including punctuation, math symbols, currency signs, etc.). It should never be a dictionary word, your name or user ID, a number identified with you (birthday or anniversary, phone number, Social Security number, employee ID), or a sequence of keys on the keyboard (such as ASDFG). Never use password, secret, admin, myspace1, password1, or blink182 as a password – these are among the 10 most common passwords and thus the easiest to guess – and avoid names of sports teams.

The most secure passwords are random, which makes them the most difficult for you to memorize and most likely to be written on a PostIt® note on or near your monitor. The best password is both secure and memorable, such as AppleWorks6.2.4 (which the Microsoft password checker (Windows app) gives a “best” rating).

We recommend LastPass as a great tool for managing your passwords, especially on multiple computers.

Safe and Unsafe Sites

This is a partial list of high traffic secured domains that are safe or still unsafe, based on reports on other websites. Sorting is alphabetical. The first section lists sites that were never endangered by the Heartbleed bug.

Never in Danger

  • 1040.com
  • 1password.com
  • about.com
  • amazon.com
  • aol.com
  • apple.com
  • ask.com
  • avg.com
  • bankofamerica.com
  • barclays.com
  • bing.com
  • capitalone.com
  • chase.com
  • citigroup.com
  • cnn.com
  • comcast.net
  • etrade.com
  • ebay.com and other eBay sites
  • evernote.com
  • fidelity.com
  • fileyourtaxes.com
  • groupon.com
  • healthcare.gov
  • hotmail.com
  • hrblock.com
  • hulu.com
  • intuit.com (TurboTax)
  • irs.gov
  • linkedin.com
  • microsoft.com
  • msn.com
  • outlook.com
  • paypal.com
  • pnc.com
  • schwab.com
  • scottrade.com
  • skype.com
  • target.com
  • taxact.com
  • tdameritrade.com
  • tdbank.com
  • troweprice.com
  • twitter.com
  • usbank.com
  • vanguard.com
  • vimeo.com
  • walmart.com
  • weather.com
  • wellsfargo.com
  • wordpress.com

Safe Now – Safe to Change Your Password

  • Amazon Web Services
  • box.com
  • dashlane.com
  • dropbox.com
  • etsy.com
  • facebook.com
  • flikr.com
  • github.com
  • gmail.com
  • godaddy.com
  • google.com and other Google search websites
  • ifttt.com
  • imgur.com
  • instagram.com
  • lastpass.com
  • mail.yahoo.com
  • minecraft.com
  • netflix.com
  • pinterest.com
  • tumblr.com
  • usaa.com
  • yahoo.com
  • youtube.com

Still Vulnerable – Do Not Change Password Yet

Nobody seems to be posting a list of sites that are still vulnerable. If the site is not listed above and uses an https: connection, test before logging in.

Keywords: #heartbleed #openssl

Short link: http://goo.gl/6vQ08c

searchword: heartbleed

One thought on “Using a Mac Does Not Make You Safe from Heartbleed

  1. Hi Dan,

    I very much appreciated this article for telling me what I need to know, in terms that I can understand, and what to do about it.

    I tried the filippo.io website for testing https servers that I use, and I found the messages to be unclear for some of them. I received messages I did not understand. I have been using this site with greater success and understanding of the results and messages:
    https://lastpass.com/heartbleed/
    It even purports to tell me which sites never had a problem. Interesting.

    (posted from an iBook (G3/600) running Debian Wheezy PowerPC)