What exactly is Heartbleed, and what does it do?
There's a full guide, and technical questions and answers, on the Heartbleed.com website. This part explains the basics:
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."
Is this really serious?
This vulnerability about as bad as it gets security wise. Security expert Bruce Schneier has described it as “catastrophic” and I wouldn’t disagree with that.
How widespread is the problem?
The OpenSSL bug has compromised over half a million websites from what we're able to tell. And that includes some huge names.
How do I know if a site I use has been affected?
Various news sites are providing lists of affected sites and those that have been patched but you need to choose your sources of information carefully. Mainstream news sites are not always the best guide.
We do know the big guys like Google, Facebook and Yahoo! were compromised and appear to be patched. Apple and eBay we’re not sure; Tumblr yes; Linkedin apparently not. Amazon wasn’t compromised - though Amazon cloud services were. And you'll probably want to think about other online services you use - banking, for example.
Just enter the url you're concerned about and click the Go!/Submit button. These are not 100% reliable and will generate false positives (alerts on sites that are patched) and occasionally false negatives (giving the all clear to insecure sites).
Do be a little careful with these, too, as there will be false test sites which attempt to mislead people about the security of sites which remain compromised.
If you've not heard from the sites you use, you should actively contact them to ask them:
- Have you done the Heartbleed-related security audit?
- Have you been compromised?
- Have you patched any vulnerabilities?
- Should I change my password(/s) now?
Don't stop asking until you get a definitive answer.
Do I need to change all my passwords?
Ordinary internet users should change their passwords on sites affected but generally only after the companies running the websites concerned have done a security audit to check if they are affected, patched their systems if they are, acquired a new public/private key pair and new SSL certificate, tested the patched systems, informed the user they have done all this and determined the system to be secure (and preferably pro-actively changed passwords that might have been affected).
But shouldn't I change my passwords straight away?
Some news sites are advising people to change all their passwords straight away. This could lead you to assume your new credentials are safe. But if the site hasn't yet been patched, they won't be. There should also be no immediate need to change passwords on sites which are otherwise secure and have not been compromised by the Heartbleed bug.
Before you change your passwords, check with the company or a trusted third party that the system has been secured.
How long is this likely to take?
Now the news on the bug is out credible commercial entities are keen to plug this enormous security hole in double quick time and many have already done so.
So waiting until each service has been patched is the risk-free approach?
There isn't a completely risk-free approach. If someone has already used the vulnerability to obtain your passwords, they could choose to use those for nefarious ends before the website in question updates their systems.
How can I protect against that?
In the window between now and the site being patched, you might want to think about changing passwords, now, temporarily and then changing again once the fix is done.
This sounds quite complicated
None of this is really straightforward, unfortunately.
What should I consider when changing my password?
All the usual advice about choosing strong passwords applies – change them regularly, don’t use the same ones on different sites, don’t use dictionary words or names, make them long, include upper and lower case, numbers and symbols.
If a service offers several layers of authentication, such as PIN codes, passwords or tokens, use them for stronger security.
This is going to mean a lot of passwords, all of them new, to remember…
An incident like this can make people realise how many passwords they are actually using, so consider investing in a password manager like LastPass, SplashID or Password Genie – software which does all the heavy lifting on choosing long difficult passwords and managing and “remembering” them for you. Do check with the password manager vendor that their systems have been patched against Heartbleed vulnerabilities.
Is anyone really likely to have exploited Heartbleed?
Since the bug has been around for a couple of years that it is almost certain that a multitude of organised crime gangs will likely have gathered the encryption keys to all compromised sites, as will intelligence and security services like the NSA and GCHQ.
So, you're saying…
Yes, just to be clear on this – the usernames and passwords used on these sites will likely be in the hands of organised criminal gangs and intelligence services. It's about as serious as it gets.