The Internet has been reeling for the past couple of days after a very serious and widespread vulnerability called Heartbleed reared its ugly head. The Heartbleed threat might finally be all over the news tonight, as this security threat bursts out of IT backrooms and becomes public knowledge that could possibly impact millions. But most organizations have been flying under the radar, rather than warning their users to stay clear of their login pages.
TL;DR Skip straight to the bottom to see what you should do to protect yourself. Rule #1, stay logged out of sensitive sites until you see a clear advisory that the site’s been secured.
Heartbleed is an SSL exploit that could be potentially have already affected up to 2/3rds of web servers, and an undetermined number of mailservers. The result is that financial transactions, medical info, personal data, pictures, passwords, attachments, chats and pretty much everything the world has entrusted to the OpenSSL encryption library (ie. those HTTP:// URLS) has been vulnerable for almost 2 years on many servers.
Unfortunately the standard practices for corporate secrecy and IT security can also impact consumer awareness and security as well. Since people’s first instinct is to login and reset their passwords…Regardless of whether the organization has made public disclosure, and announced that their sites have been properly patched.
The first thing you need to know about Heartbleed is that any server that uses vulnerable versions of OpenSSL to secure its connections (via the https:// protocol) have been vulnerable, for up to the last two years! Some people are starting to suspect that this back-door was placed on purpose to enable government agency spying. We can decide for ourselves if this theory is plausible based on prior actions.
The second thing to know is that you should NOT reset any passwords on any suspected sites until you can be fully assured that their systems have been properly updated and re-secured. This means that the standard approach to such security issues, where everything is on a need to know basis, will need to be broken-open to the public so that we can all be assured that our passwords can be safely reset on any site that has been vulnerable.
This kind of open disclosure of potential risk is often very difficult for many types of organizations, and that’s the real problem here. Since the standard operating procedure stands in the way of real damage control, and instead favours the “reputation management” need that can supersede the real security risks to Consumers. Many organizations would prefer to respond to issues on a reactive basis, rather than throw the floodgates open to admitting fallibility.