Unless you’ve been extremely absorbed in an excellent book for the last week, you’ve probably heard about Heartbleed. Maybe you’ve already read up on it, are fully aware of its effect on you, and have changed your passwords accordingly. Maybe, though, that book sucked you in and you’re just now clearing your head and thinking “Wait, was I supposed to do something about this?” Here’s the basic rundown.
What Is It?
“Heartbleed” is the nickname given to a flaw that was recently found in OpenSSL, an encryption protocol used by most secure websites. A website that is secure is indicated by a url that begins with “https” rather than simply “http.” Not every website runs security software – not every website needs to. If a site does not allow for logging in with a password and does not collect sensitive information such as credit card numbers, that site probably doesn’t require encryption.
There are, however, many, many heavily used sites that do collect sensitive information that may have been affected by the bug.
What is the Effect?
It might take some time for the extent of this incident to be known. The vulnerability was discovered by Google and Codenomicon and they promptly released upgrades to repair it. It’s possible that no criminals found the bug before it was fixed. If it took Google this long to find it you can bet it wasn’t exactly obvious. Unfortunately, though, there’s no way to know – the vulnerability existed for approximately two years, and would have made it possible for criminals to extract the sensitive information without leaving a trace.
It’s possible that the effects might not turn out to be severe, but there’s no reason to gamble with your sensitive information, and we suggest that you err on the side of caution.
What Do I Do?
Change your passwords! A list has been published of major sites and their vulnerability status. It will give you an idea of which accounts could have been exposed.
When it comes to security, though, better safe than sorry. If you have accounts that are particularly important to you, or that contain sensitive information, go ahead and change those passwords. Changing passwords regularly is a good practice anyway. Even if your password is strong, keeping the same password for too long can become a security risk.
How do you know if your password is strong? If you’re not sure, use The Password Meter to get a rating as well as suggestions for choosing something stronger.
What About Slamdot?
Slamdot’s servers have been patched and upgraded to the latest version of OpenSSL, and we are not aware of any issues or breaches to our servers. We still recommend that you change all important passwords. There’s no reason not to!
The Take Home Message?
Change your passwords! And no changing them to “p455w0rd” or your dog’s name or your anniversary. Always choose strong, difficult to guess passwords. Don’t be an easy target!