What you need to know about the Heartbleed security issue

What you need to know about the Heartbleed security issue

If you missed the news last week, experts have discovered a flaw in popular encryption software OpenSSL.

This is a big deal because OpenSSL protects hundreds of thousands of websites, including big names like Google, YouTube, Tumblr and Yahoo.

The issue is called Heartbleed. Although OpenSSL is meant to protect data transferred between a website and person using it, Heartbleed may allow hackers to access that data.

Time to panic?

Heartbleed is a high-profile story because so many websites use OpenSSL. But there's been a lot of confusion over what we should do about it.

Some websites have advised you to change all your passwords. Others have suggested that's counterproductive until every website has been fixed. So, we've investigated what businesses need to be concerned about.

First off, let's get one thing clear: Heartbleed is a real issue. You should definitely spend a few minutes thinking about how it might affect your business.

There are two aspects you need to be aware of:

• If you run a website that uses encryption (like an online shop) you should check to see if it's affected by Heartbleed.
• You should also consider whether any websites you use have been compromised.

Check if you're affected

Does your website use a secure connection (where a padlock appears in the browser)? If so, it's vital you check which encryption technology it uses.

If you're not used to getting into the nuts and bolts of your website, speak to your web developer or to the company that supplies your SSL service (usually your web hosting firm).

You can also pop your website address into this Heartbleed checker, which will let you know if your site is affected.

If you get the all-clear, that's great — you don't need to worry. But if your site does have the Heartbleed vulnerability, you should get it fixed — pronto.

This means updating to the latest version of OpenSSL, which doesn't suffer from Heartbleed. Your web hosting company or web developer should be able to do this for you.

In the meantime, consider deactivating the secure parts of your website. Better safe than sorry, after all.

Check the websites you use

Experts reckon around 500,000 websites are affected by Heartbleed. There's a good chance some of them are services you use regularly.

Changing passwords is the way to go here. But you need to make sure the problem is fixed before you change a password on a particular website. Otherwise, you risk exposing your new password too.

Most major websites will have fixed their systems by now. Again, you can use the Heartbleed checker to make sure.

As a precaution, we'd advise changing all the passwords on sites you use regularly — but only when you're sure those sites are secure.

Remember, it's safest to use a separate password for each website and to make sure all passwords are nice and strong.

Watch your accounts carefully

There's one last thing to bear in mind. Heartbleed was around for a long time before it was discovered. As a result, nobody's certain if any hackers exploited it before it became common knowledge.

In case your business or personal data has been affected, it's a good idea to check your online banking, email and other services you use regularly. If you notice anything out of the ordinary, do investigate.

• How to create strong passwords
• The day we almost broke the internet
• 2014's biggest hacks (so far)