No matter how hard you try to stay safe, some aspects of securing your online data are completely out of your hands. That fact was made painfully obvious on Monday, when the Internet got caught with its collective pants down thanks to a critical vulnerability affecting a fundamental tool for secure online communications.
Called Heartbleed, the bug has been in the wild for more than two years now. It allows attackers to exploit a critical programming flaw in OpenSSL—an open source implementation of the SSL/TLS encryption protocol.
When exploited, the flaw leaks data from a server's memory, which could include SSL site keys, usernames and passwords, and even personal user data such as email, instant messages, and files, according to Finland-based Codenomicon, the security firm that first uncovered Heartbleed in concert with a Google researcher.
That's bad. Real bad, though it's important to note that Heartbleed only affects OpenSSL and not the security protocol itself.
But due to OpenSSL's popularity with website administrators, the potential number of affected websites is huge. Security and Internet research firm Netcraft estimates that Heartbleed affects around half a million "widely trusted websites."
Yahoo has already said it was hit by the Heartbleed bug and Yahoo-owned Tumblr is advising users to update their passwords ASAP.
"On the scale of 1 to 10, this [Heartbleed] is an 11," respected security expert Bruce Schneier said on his blog.
Yes, this bug is pretty serious and almost certainly affects at least one of your online accounts. But now that we've got the scary stuff out of the way, let's talk about some of the practical measures you need to know about.
Keep calm and...
Thanks to Hearbleed it's possible that some unscrupulous actors online could have your username and password. And you should definitely change your password on any site that says it was affected.
But here's the thing: While OpenSSL already has a fix available, changing your username and password before a site patches its servers achieves nothing. In fact, it could make things worse.
"You should change password after the service provider has patched their site. Otherwise you just contribute to the data that can be stolen," Codenomicon spokesperson Ari Takanen told us via email.
...don't carry on
Heartbleed was publicized on Monday. So by now, many sites should have scrambled (or are scrambling) to patch their servers. You can find out if a site is still affected by Heartbleed using online checkers provided by LastPass, Qualsys, or Filippo Valsorda.
If you find that a site you use often is still affected by the vulnerability, Codenomicon advises to take a "day off" from that site. Heartbleed only exposes data that's held in a server's memory (RAM). This isn't a break-in and read the database type flaw. Your data needs to be in a server's memory when it's attacked to be exposed.
Sign up for Computerworld eNewsletters.