Some tips for safe web browsing in a post-Heartbleed internet

Over the past week, we have noticed many people (friends, family members, etc…) asking for general advice on things they can do to protect themselves from the recently revealed Heartbleed vulnerability. While a lot of the major work needs to be done by owners of individual websites, there are some more general security steps that you can take to minimize your risk. Most are not that difficult to set up, so you might as well go ahead and do them, especially now that security is probably fresh in your brain due to all the Heartbleed coverage.

If you use Chrome, install the Chromebleed extension.

This browser extension will give you an alert when you are on a secure site that appears to be vulnerable to the Heartbleed bug. The good news, as many websites have patched their servers, you should see very few alerts. If you do see an alert. Get off that website and come back later when they have had a chance to patch their servers.

Change passwords on sites that have given the all-clear

It’s a good idea to change your passwords, but only for websites that have given the all-clear that they are no longer vulnerable to the bug. If a site hasn’t patched their servers and you update your personal information, it doesn’t do much good.

Use a password manager like LastPass

It’s really hard (damn near impossible) to remember a unique password for every website you visit. Most people use a single password for many websites. A password manager shifts that burden out of your brain and into a piece of software, allowing you to remain secure while only remembering a single password.

Use two-factor authentication wherever possible

Two-factor authentication minimizes the risk of a password breach by forcing you to provide an extra piece of information  when you log in. Usually this is a rotating security code that you read from an app, or an access code that will be sent to you via text message when you attempt to log in to a website. They are not very difficult to set up, and the security benefits are pretty great. If you haven’t started using two factor authentication on websites that offer it, you really should think about it.

Many sites support two factor authentication. Here are links to set up two factor authentication for Google accountsFacebook (look for “login approvals”), Twitter (look for the “login verification” options), Github, and Evernote. A much larger list of sites can be found here.

Review the applications you are connected to on major social media sites

It’s likely that over the years you have built up many sites that have used a connection to one of your social media accounts. It’s easy to forget about the random website that you connected with your Facebook account two years ago. You should review these applications and revoke any services that you are no longer using.

Here are links to see the connected applications for your Facebook, Twitter, and Google accounts.


One Comment on “Some tips for safe web browsing in a post-Heartbleed internet”

  1. Eric Jain says:

    Good advice, but I’d add that changing passwords on sites that have been patched and had their certificates reissued doesn’t do much good when browsers don’t check for revoked certificates!

    Also, installing a browser extension requires a fair amount of trust in the author of the extension–unless you are willing to review the source code…