Massive online vulnerability means you need to change all your passwords


Whereas Windows dominates consumer computing, many of the world’s servers are powered by Linux. More specifically, they run Apache or nginx, which runs on top of Linux and (typically) uses OpenSSL to secure HTTPS connections. It has been recently discovered that there is a massive vulnerability in OpenSSL since 2012 — a vulnerability that, if exploited by scumbags, revealed information, like your password, when using HTTPS connections.

Security technologist Bruce Schneier said “On the scale of one to 10, this is an 11”, describing the effects of Heartbleed bug, as it is now nicknamed. The said flaw could “expose secret keys that identify service providers employing the code” as reported by BBC.

Because of how widely OpenSSL is used, a large part of the web — including Yahoo, Canada’s tax website, and more — is affected.

Codenomicon’s, the company that along with Google discovered the bug, chief technology officer Ari Takanen shared:

“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested. In that sense it’s a good idea to change the passwords on all the updated web portals.”

All websites are scrambling to fix the vulnerability in OpenSSL and many already have. However, some websites are still vulnerable. You can check which websites are still vulnerable from this list.

So what do you have to do now? Because of how wide spread this vulnerability is, experts are recommending you change your passwords. Which passwords? All of them, simply because it is near impossible to know which passwords (if any) where leaked.

You may get emails from various websites telling you something along the lines of “there is no evidence of any breach”; take such messages with a grain of salt because the way this vulnerability operates, no trace is left behind that it was ever exploited — so there is never any evidence of a breach, even if a breach took place. In other words, you don’t know which of your passwords were leaked and which weren’t.

Of course, your passwords are safe (should be safe) for websites that didn’t utilize OpenSSL but you may have used the same password more than once, so you should consider changing all passwords regardless.

One thing to keep in mind, however. Change your passwords only on websites that have patched the Heartbleed vulnerability. It makes no sense to change your password on a website still affected by the vulnerability, because the password will be vulnerable again.

How do you know what websites are still vulnerable? The list linked to you above helps. You can also simply email websites asking them, and they should tell you. dotTech — and its sister websites SharewareOnSale and HungryForApps — had the vulnerability preliminarily patched on April 8 and we will be applying a final patch today, so you should change your password on dotTech and sister sites on Saturday.

Stay safe, everyone.

[via BBC]

Related Posts

  • Bub


    From my understanding of the bug, it is conceivable that security programs have been compromised. The heartbleed bug allows attackers to steal SSL certificates, which in turn would allow the attackers to impersonate the affected sites. Then, when your antivirus program called home for an update, they would have the opportunity to inject their own content.

    Internet Explorer does not use OpenSSL, so you are still more secure using SSL with it than not; just not as secure as you should be.

    The bug has been in the code for two years. There is no way of knowing if Bad People discovered it at that time, or if they ever discovered it at all, or if they have rushed to exploit it before all the servers get patched. I suspect that there hasn’t been a large-scale exploitation of leaked information, because if that many passwords, credit cards, or SSNs were to appear on the black market, it probably would have been noticed. Of course, a smart attacker would harvest as much as s/he could, and then sell it over time.

  • BearPup

    Questions in search of answers:

    And what about all our security programs – antivirus, anti-malware, anti-spyware, keylogger software, firewalls and the like? Do we still trust these programs? And what about changing the IE web options, do we uncheck the SSL permission?

    And given that this exploit has been around for over two years, if we were going to be attacked, wouldn’t it have occurred already?