Heartbleed Bug – 2014.04.10

By now may have seen the media talking about the Heartbleed Bug and the message has been doom and gloom and that you should change all your passwords immediately. While we don’t advise you disregard everything that has been said, the panic is not required; the media has once blown this out of proportion in order to drive ratings. These are the facts that you DO need to know about the Heartbleed Bug.

Most large corporations in North America are not running webservers that are affected by this, or are not running a version of the software that is affected. The most notable exception to this is Revenue Canada.

How does this affect my business and my website?

If all the following apply to your business:

  • You have a website that customers connect to
  • You have confidential information on the website
  • Customers send or receive personal information to the website such as: usernames, passwords, credit card numbers, or other personally identifying information

You can test to see if your website has the issue by going to https://www.ssllabs.com/ssltest and entering the URL of your website. You will receive a result indicating if you are vulnerable to this bug.
If all of the above do not apply to you then the Heartbleed Bug does not affect your business and no action is required on your part. The vast majority of business websites do not deal with or contain any private or personal information.

How this affects you and your users personally

The media is saying that you should panic and change all your passwords everywhere, should you do this? No you shouldn’t. Odds are you are not affected, and if you are changing your password will only reveal your new password to an attacker.

How can I tell if I’m affected? The easiest way is to go to https://www.ssllabs.com/ssltest and enter the names of the sites you visit regularly where you enter a password to see if they are affected. If they are not affected, you don’t need to do anything further.

If you are using a website that is affected, then you must wait for the company to fix their website before you change your password. If you use that same password on other sites that are not affected, you should change that password on the unaffected site(s). Ideally you should never use the same password on multiple sites, each site should have its own distinct password.

For more information about this vulnerability, please visit

* OpenSSL’s official advisory: https://www.openssl.org/news/secadv_20140407.txt
* The Heartbleed Bug: http://heartbleed.com/

If you have any questions you should call AbleIT for assistance.