In case you missed it, security researchers recently uncovered a major bug (known as “Heartbleed”) in a security protocol that protects much of the encrypted traffic on the Internet. And yes, if you do just about anything online, you’re affected.
In short, secure Internet services typically protect their traffic using a protocol called SSL/TLS. This includes certain websites, e-mail providers, chat services, etc. You’ll know this is happening on the web when you look at the address bar of your browser and see
https:// (note the addition of the ‘s’) at the beginning of the url.
Many such services use an open source implementation of this security protocol known as OpenSSL. Unfortunately, OpenSSL was found to contain a programming mistake that makes it possible for an attacker to steal the server’s encryption keys, usernames and passwords, instant messages, e-mails, etc.
But wait, it gets better… Not only is all of this information (potentially) exposed, but there’s no way of knowing whether or not a server has been compromised. Oh, and this bug has been out in the wild for over two years.
As for whether or not you’re likely to be affected by this bug…
“You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.”
That’s from heartbleed.com, a site put together by the people who discovered and publicized the bug in the first place.
They went on to note that OpenSSL is used in the software that powers more than two-thirds of all websites, and that it’s also used to protect e-mail servers (via the SMTP, POP, and IMAP protocols), chat servers (via the XMPP protocol), virtual private networks (VPNs), etc. So yeah, it’s a widespread problem.
Of course, that fact that you (probably) do business with affected sites and/or services doesn’t mean that your info has been stolen, but it’s possible.
To protect yourself from the Heartbleed bug, you’ll need to go through your various online logins and change your credentials. But doing so won’t do you any good unless and until the service provider patches the bug (yes, a fix is available), revokes the compromised encryption keys, and re-issues new keys.
How will you know if/when this has been done? That’s the tough part. You’re largely dependent on the service providers letting you know that the problem (if they were affected) has been fixed. At that point, you should be able to change your password without fear of it being re-compromised via the Heartbleed exploit.
Note: There are some tools out there to check whether or not a website is affected (or has been fixed). I can’t vouch for any of them, but this one, which attempts the exploit and then report the results, looks pretty good. It was developed by cryptography consultant Filippo Valsorda. If a site appears to have been “fixed or unaffected,” it should be safe to change your password.
That being said, I haven’t heard a peep from anyone about whether or not their site/service was affected by this bug, or how they’ve responded to the problem.