Within the past 72 hours, the buzz across the internet has turned to Heartbleed, a bug within a server package that is used to secure connections across the internet. For the best overview of the bug, have a look at Ars Technica. C|Net also has a good list of major websites and services that were compromised.
So, should you, a local government official, be worried?
On a personal level, absolutely. Make sure to change your passwords, and utilize secure passwords.
Professionally, quite possibly. Does your local government’s website utilize SSL (Secure Sockets Layer and Transport Layer Security)? If you don’t know, check your website. Does the url begin with HTTPS? If so, it utilizes SSL. Immediately contact your web hosting provider and discuss with them how to mitigate the bug. If you have SSL, a certificate authority issued you a certificate confirming your identification, which is then used by your website. You need to check your certificate authority to see how compromised keys can be revoked and new certificate reissued for the new keys. Do this only after your web hosting provider has fixed the Heartbleed bug.
If you already host with GovDesign, our third-party hosting provider has said that their services were never affected by Heartbleed.
If your website doesn’t currently utilize security like SSL, you should look into it. SSL is traditionally used to encrypt data flowing between a users and a server. This is beneficial for data like credit card numbers, passwords, and email. But, SSL also authenticates your website to the user. It identifies that you are the legitimate owner of the website and the user is seeing the legitimate content on your website. This is very beneficial for government websites.
Outside of your website, you should also take a look at network routers and physical items on your network. These often have basic software on board that might need to be updated.
If you have concerns about your website and Heartbleed, please contact us here at GovDesign and we’ll be happy to review your website’s security at any time. And if you would like to improve your local government’s website and utilize SSL, we’d love to help you.