The Heartbleed bug is a very serious vulnerability, recently discovered in the OpenSSL software library, used by tons of sites to encrypt data. This loophole makes it easier to steal sensitive information, particularly off sites that employ the presumably more secure HTTPS protocol via OpenSSL. This means most sites you already use, that require some form of authentication and exchange of data, could possibly be susceptible to Heartbleed.
Using the Heatbleed Tester built by Filippo Valsorda, we ran checks on a couple of the most visited Nigerian sites to see which of them might be vulnerable to the Heartbleed bug. So which of the most visited Nigerian sites are affected by Heartbleed?
Side note: The script returns sites as either “unaffected”, “vulnerable” or “safe but not 100% sure”. Sites that return as “not 100% sure” do so either because they use a protocol Filippo’s script doesn’t understand or does not account for. For example sites running on Microsoft’s IIS server – rather than commonly used Apache or nginx Open Source servers – don’t use OpenSSL by default. They use SSPI by default. So they’re probably unaffected by Heartbleed, but only because Filippo’s script doesn’t confirm whether they are indeed using the default SSPI protocol or not. Also, sites that don’t use HTTPS are most likely to return as not 100% sure.
Banking and payments sites
As the major concern is with Internet Banking, the tests were run solely on the Internet Banking portals. Of the 20-something Nigerian banks, only about 10 are certified 100% safe.
Affected banks
- Enterprise Bank (formerly Spring Bank)
- Zenith Bank
Probably safe (but not 100% certain)
These banks are probably safe
- Diamond Bank
- First City Monument Bank
- First Bank
- Guaranty Trust Bank
- Heritage Bank
- FSDH Merchant Bank
- Sterling Bank
- United Bank for Africa
- Union Bank
- Unity Bank
- WEMA Bank
Unaffected banks
Any of the current Nigerian banks not listed above are 100% safe, according to Filippo’s test. That includes banks like Access , Fidelity, Stanbic IBTC, Ecobank and Skye. Also, you’ll be glad to know that Interswitch, the payment portal used by most online businesses, is 100% safe. That means Quickteller is also safe.
eCommerce sites
It appears Jumia.com.ng and Suregifts.com.ng are the only 100% safe certified sites. Apparently the likes of Konga, Dealdey and OLX don’t even have SSL certificates. As in no part of their site uses HTTPS, not even user login. I can’t think of a justifiable reason why not. Granted, sites like this currently don’t handle online payments directly (they redirect to Interswitch Webpay). But considering the thousands of user records stored on servers, I don’t see any reason why a site like Konga for example shouldn’t have SSL.
Travel sites
Both Hotels.ng and Jovago returned 100% safe. Online travel booking platform, Wakanow is probably safe because it uses Microsoft’s IIS server. So do Arik and Dana Air. According to builtwith.com, the Aero Contractors website apparently uses Godaddy SSL. I am not certain of the implications but it also returned as “probably safe”.
Entertainment sites
Nairaland, Nigeria’s most visited site is thankfully 100% safe. Naturally, I wouldn’t bother about sites like Linda Ikeji, Bella Naija and NotJustOk, as they are basically content consumption sites. But you can never be too sure. Everyone’s favourite Linda Ikeji returned 100% safe (has everything to do with the .blogspot.com sub-domain). Bella Naija and NotJustOk are “probably safe” but I honestly wouldn’t bother.
News and Job sites
Most news sites are evidently okay, or at least safe but not 100% sure. Oddly enough Punch Newspaper‘s website returned “vulnerable”. Among the job sites, only Jobberman returned 100% safe. Others like Ngcareers.com and Naijahotjobs.com returned as probably safe.
I obviously can’t cover every existing Nigerian site, so if I missed any, forgive my oversight. Focus was on the most popular Nigerian sites. We will keep the status of the above listed sites up to date, should any changes be made. In the meantime, you can always check for Heartbleed on any of the sites I might have missed.
*Edit*
What next?
The first thing you need to do is change your password across all services. If you use any of the unaffected sites, some of them may have been previously affected, but fixed before the time of publishing this article. For the vulnerable sites, I’m afraid there isn’t much you can do. Until such sites fix the bug, your passwords and other details remain vulnerable whether or not you change them. As for the sites that are “probably safe”, it might mean they were never susceptible. But it wouldn’t hurt to change your passwords now, as that is good practice.
*UPDATE* Zenith Bank appears to have patched the Heartbleed bug patched on its server. This should serve as a cue for Zenith Bank users to change their passwords as soon as possible.
