Heartbleed Band-Aid

In light of the Heartbleed data security scare, Al Jazeera America has updated its Passworthy browser extension, which lets users monitor how much Internet companies like Facebook and Google are doing to protect personal information.

Passworthy includes the 10,000 most-used websites and shows whether they are vulnerable to the Heartbleed bug.

Download Passworthy here:

Computer researchers announced on Monday that they discovered Heartbleed, a bug that allows hackers to get random information from servers that use a common security program called OpenSSL. This information could include anything from meaningless data to important personal details, including passwords and Social Security numbers.

OpenSSL uses a set of steps called SSL (secure sockets layer), which some security experts say about two-thirds of all Web servers — especially those dealing with user data or other sensitive information — rely on. SSL obscures data as they travel between a user and a server so attackers can’t read it. It applies only to data during transmission, not when they are stored on a server.

SSL performs an action called the heartbeat, which continually ensures that there is an active connection between the user and the server. In a normal heartbeat, a user sends a message to the server, and the server replies with the same message to the user.

But with Heartbleed, it is possible for any user — like a hacker — to send a message and ask the server to send back more than just its message. 

That extra data can include sensitive personal information. The user can’t ask the server to send back specific data (e.g., a certain user’s password) but can ask the server to reply with up to 64 kilobytes of data at a time — the equivalent of 32 pages of text.

Since Monday, OpenSSL’s developers have released an updated version of OpenSSL to fix the bug, and many websites, such as Yahoo, are updating their servers to get the security fix. But not all websites are there yet.

Several security researchers have set up their own systems to check websites for the bug. A few hours after Heartbleed was reported, Filippo Valsorda, a security consultant in Milan, wrote a script that could be used to check for the bug on any site. He also created a website that lets developers check the effectiveness of their security fixes and allows users check if their data could be vulnerable. He said his site has been getting “something like 10,000 checks a minute.”

The bug has existed for two years, though it was only recently discovered and fixed. Valsorda recommends that users change their passwords, particularly on sites that were recently fixed, such as Yahoo’s.

Note: Please note that companies may change their security measures over time. We will seek to update Passworthy accordingly as this information becomes available to us.

Graphics by Lam Thuy Vo