In light of Heartbleed, Princeton asks students to change passwords

The Office of Information Technology sent an email to students on Friday asking them to change their passwords in response to "Heartbleed," a security flaw in software used to protect private information on the Internet.

Vice President for Information Technology and CIO Jay Dominick said Heartbleed is a function of a particular version of OpenSSL, a piece of software that encrypts Internet traffic. He explained that a certain functionality had been added to OpenSSL that allows for some information from a server, a "heartbeat," but due to poorly programmed code, the server would respond with information in excess of what had been asked of it.

“With that vulnerability, somebody could actually read the memory of the SSL server,” Dominick said.

Dominick explained that OIT had been working on responding to Heartbleed since it was made public Tuesday morning.

Anna Kornfeld Simpson ’14, a residential college adviser and computer science major who is writing her thesis on computer security, said this withdrawal of information does not leave any record. Information that could be read in this way includes usernames, passwords, content stored on the server and, most seriously, the private keys used to control the entire server itself, she said.

The email OIT sent out asked that students change their Princeton passwords, especially if they use Gmail, Princeton Secure Remote Access or their Princeton passwords for other websites. The email also warned students about possible phishing attacks.

Kornfeld Simpson explained that there are two steps to fixing the bug; the first step is to apply to update the server, and the second step requires users to take action themselves. As attackers can pull information from the server without leaving a record behind, individuals can never know if their usernames and passwords have been leaked until they are compromised; the safest course of action is therefore to change usernames and passwords.

OIT's first action, according to Dominick, was to hunt down, patch and reissue certificates to the OpenSSL servers on campus. Once it had repaired the damage, it was time to let students, faculty and staff know about the importance of changing passwords, Dominick said.

“This was such a pervasive problem — literally just a huge chunk of the Internet was made vulnerable concerning this — that I think it’s worth our time letting people know in general that they should be changing their passwords,” Dominick said.

Staff writer Chitra Marti ’17 contributed reporting for this article.