Whereas Windows dominates consumer computing, many of the world’s servers are powered by Linux. More specifically, they run Apache or nginx, which runs on top of Linux and (typically) uses OpenSSL to secure HTTPS connections. It has been recently discovered that there is a massive vulnerability in OpenSSL since 2012 — a vulnerability that, if exploited by scumbags, revealed information, like your password, when using HTTPS connections.
Security technologist Bruce Schneier said “On the scale of one to 10, this is an 11”, describing the effects of Heartbleed bug, as it is now nicknamed. The said flaw could “expose secret keys that identify service providers employing the code” as reported by BBC.
Because of how widely OpenSSL is used, a large part of the web — including Yahoo, Canada’s tax website, and more — is affected.
Codenomicon’s, the company that along with Google discovered the bug, chief technology officer Ari Takanen shared:
“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested. In that sense it’s a good idea to change the passwords on all the updated web portals.”
All websites are scrambling to fix the vulnerability in OpenSSL and many already have. However, some websites are still vulnerable. You can check which websites are still vulnerable from this list.
So what do you have to do now? Because of how wide spread this vulnerability is, experts are recommending you change your passwords. Which passwords? All of them, simply because it is near impossible to know which passwords (if any) where leaked.
You may get emails from various websites telling you something along the lines of “there is no evidence of any breach”; take such messages with a grain of salt because the way this vulnerability operates, no trace is left behind that it was ever exploited — so there is never any evidence of a breach, even if a breach took place. In other words, you don’t know which of your passwords were leaked and which weren’t.
Of course, your passwords are safe (should be safe) for websites that didn’t utilize OpenSSL but you may have used the same password more than once, so you should consider changing all passwords regardless.
One thing to keep in mind, however. Change your passwords only on websites that have patched the Heartbleed vulnerability. It makes no sense to change your password on a website still affected by the vulnerability, because the password will be vulnerable again.
How do you know what websites are still vulnerable? The list linked to you above helps. You can also simply email websites asking them, and they should tell you. dotTech — and its sister websites SharewareOnSale and HungryForApps — had the vulnerability preliminarily patched on April 8 and we will be applying a final patch today, so you should change your password on dotTech and sister sites on Saturday.
Stay safe, everyone.