Heartbleed is bad. For those that haven’t heard yet, it’s a security flaw that’s potentially opened up as many as two thirds of the world’s websites to digital thieves and the worst part is that the flaw has existed for over two years. However, while many parts of the web are screaming for users to change their passwords wherever possible, it’s important not to dive right in, because unless the site owner has updated OpenSLL and their SSL certificate, hackers could just steal your password again.
When it comes to vulnerabilities, Heartbleed isn’t the easiest to understand, though I’m sure for some it’s a cake walk. For a great rundown, have a look at Vox’s explanation here, but if you want my summary, here you go:
Heartbleed is a vulnerability that affects the digital discussion between two PCs that are communicating using SSL encryption. It is able to replicate a “heartbeat” message, which is designed to tell each computer that the other is still connected, which can possibly lead to the tricked server sending back real information, like the contents of its RAM. This has the potential to give up very secretive data, like user passwords, credit card details and even the site’s own private encryption key, which opens it up to even more snooping.
While this is a nasty flaw, it’s the fact that its in a standard used by so many sites and has been around for so long, that makes it truly problematic.
The good news in this whole situation is that someone discovered the flaw: a team of researchers at Codenomicon and Google Security in-fact and they informed the OpenSSL team who have now patched the hole. The question is, how long will every site owner take to update things at their end?
Of course most of the big names have gotten on it pretty speedily, with Google announcing that most of its services, including Youtube, Gmail, Google Play, Chrome and Chrome OS among others, have all been updated, though a few of its other services need some work.
So those sites are good to go on a password change if you want to eliminate the risk that someone stole your password as part of the hack, especially if you use that same password somewhere else. However, the best recommendation at this point is not to change it on any site that may not have updated its SSL yet, since doing so could just serve up your newly remembered password to whoever was taking advantage of the flaw (if anyone) any way.
If you have a favourite site but aren’t sure if it’s updated its SSL yet, you can run it through a checker tool here.
KitGuru Says: This is a pretty nasty one, but no one has publicly stated that they’re sitting on a load of passwords. That’s not necessarily proof that no one is, but it’s a bit of circumstantial evidence. That’s about the best we’ll ever have I imagine.