Have you heard about Heartbleed? It’s a recently-discovered security flaw in the encryption software two-thirds of all websites use to protect your data. This problem isn’t one of those fake-outs where your crazy friend posts something alarmist on Facebook that Snopes easily proves is ridiculous. This time it really is as bad as your crazy friend says it is. “On the scale of 1 to 10, this is an 11,” wrote cryptography expert Bruce Schneier.
As users there’s not much that we can do except wait for our favorite websites to upgrade their software to the fixed version. Once they do, the recommendation is to change your password on all the web sites that were affected (here is a list of popular ones here is a better list being updated regularly). That’s annoying and tedious, of course, but it’s the only way to be sure.
After ensuring that Treelines is not vulnerable to the Heartbleed vulnerability, I’ve gone through the major genealogy sites that use encryption software using a publicly available tool to see how the rest are faring. The good news is that the sites all pass! This tool also assesses the overall quality of the security measures each site uses to protect your data. Here there is a wide range of grades, including two F’s by popular sites!
| Site | Heartbleed vulnerabilities? |
Security grade (click on grade for full report) |
|---|---|---|
| Ancestry.com | No | A- |
| MyHeritage.com | No | |
| FindMyPast.com | No | A |
| Archives.com | No | A- |
| FamilySearch.org | No | B |
| Geni.com | No | A- |
| WorldVitalRecords.com | No | B |
| Mocavo.com | No | A |
| GenealogyBank.com | No | |
| Newspapers.com | No | B |
| Fold3.com | No | B |
| 23andMe.com | No | B |
| FamilyTreeDNA.com | No | A- |
| Treelines.com | No | A |
| WikiTree.com | No | n/a* |
| FindAGrave.com | No | n/a* |
| BillionGraves.com | No | n/a* |
* n/a means that the site does not use encryption software to protect the data you submit to it. It’s true that the sites marked n/a do not take credit card information, but it has been long accepted as the best practice that any time a user signs up or logs into a site, their information should be encrypted. If you use the same password on the sites marked n/a as you do on other websites, then a malicious person could lift your information from the one site and try it out on others where you do make purchases. It’s unlikely, but it is possible. (Sorry if I sound like your crazy friend on Facebook now!)
** Thank you to these companies, who improved their security after this post was published.
Follow
My Heritage has solved their issues.
The post has been updated to reflect this. I’m sure everyone is appreciative of this improvement!
Thanks Tammy
Pingback: Cool GenStuff - Friday 11 April 2014 | Hack Genealogy
Pingback: Heartbleed and Genealogy Sites: What You Should Know | GeneaBloggers
Unfortunately, server tests like SSLLabs’ don’t tell us if a site was vulnerable to begin with, although a new SSL certificate is a pretty good clue that they were. I’d rather not waste my time changing passwords for sites that weren’t vulnerable (I have over 500!) and focus on the sites that were vulnerable, have been patched, and received new SSL certificates.
An important clarification — thanks!
have other websites besides those for the British Isles been evaluated?
If you have other sites you’d like me to evaluate, please response with a list! I’m happy to add more! 🙂
(Or, you can run the test yourself just by using the free tool:
https://www.ssllabs.com/ssltest/index.html.)
Thank you for the post. Now that we are more aware of the encryption status of our credit card information on major genealogy sites, perhaps they will follow the example by MyHeritage.com.
Pingback: Heartbleed Vulnerability | THE CURIOUS GENEALOGIST
GenealogyBank.com has taken the appropriate actions to resolve this issue.
The post has been updated to reflect this. Thanks for making the fixes!