What lawyers need to know about the Heartbleed bug

On April 8, 2014, computer researchers announced that a massive vulnerability for websites that use a certain web encryption software called OpenSSL. This vulnerability, called the "Heartbleed bug," allows potential eavesdropping on users' communications on websites using OpenSSL.
Why should lawyers care about this?
The Heartbleed bug means that third parties can potentially gain access to the contents of a computer's RAM (random access memory). In testing, researchers found they were able to exploit the vulnerability to steal usernames, passwords, instant messages, emails and other business critical information. They were able to steal this information without leaving a trace behind to indicate the theft had occurred.
Which websites are vulnerable?
There are not precise statistics available, but any website using SSL/TLS encryption is potentially at risk. This is a popular technology and many popular cloud-based services rely on it, including Google, Facebook, Yahoo, etc.
As of April 9, Google and Facebook have announced that they have patched and fixed the vulnerability on their websites. Yahoo and Microsoft have announced that they are assessing and implementing the fix where needed.

Is there a fix available for the Heartbleed bug?
There is a fix available called Fixed OpenSSL. The web services companies have to apply this fix, not the end users of the software, such as lawyers. Lawyers should follow the protocol below.

What should lawyers do about this?
First, compile a list of the various web services they use. If you have a username and a password to access a site, it should go on the list.
Second, identify web services that contain confidential client information, credit card numbers, bank account information, Social Security numbers and other critical information should go to the top of the list.
Third, investigate whether each web service employs SSL/TLS encryption. Websites and web services that do not employ SSL/TLS are not vulnerable to the Heartbleed bug.
Fourth, for websites which do employ SSL/TLS, investigate whether a patch or fix has been made for each website. As previously mentioned, the largest services (Google, Facebook, etc.) have already implemented fixes. Particular emphasis should be paid to web services from smaller companies.
Fifth, once you confirm a patch has been made for a particular service, log in and change your password for that service.

Content courtesy of Erik Mazzone, North Carolina Bar Association.



Staff Directory

Contact Information


8 A.M. - 5 P.M.
Monday - Friday