From a software engineer’s point of view, Heartbleed is a complete train wreck.
This week, a major security bug called Heartbleed was discovered. Technology sites for programmers, system administrators, and security experts have been abuzz about it all week, but I haven’t seen much coverage of it in the mainstream press. I was able to find this article at CNN.com.
In a nutshell, Heartbleed affects a large fraction of the Web sites on the Internet. It enables an attacker to observe any supposedly-encrypted information that goes into or out of an affected Web site. You’ll notice that is pretty much the opposite of what encryption is supposed to do. Any data you send to an affected Web site — including your password, your financial information, Social Security number, anything — could have been seen and recorded by the Russian mob or those Nigerian scammers: anyone. There is no way to know who has been eavesdropping for how long, or what they’ve overheard. The bug existed, undetected, for over two years before it was discovered this week.
This is a big deal. It is potentially much more serious than the Target security breach that made front-page headlines last winter. In the case of Target, we know what data was disclosed (credit card information) and we even know the affected account holders, so we can start to repair the damage and move on. With Heartbleed, we don’t know what data was disclosed, so we don’t even know what the damage was, yet. I expect the aftershocks of this crisis will be felt for a long time to come. I suspect the reason mainstream media aren’t running with the story yet is they lack the imagination to immediately see its importance.
Security expert Bruce Schneier said of Heartbleed, “‘”Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.”
What You Need to Do
On affected Web sites, your secure Internet connection wasn’t secure: any data moving between your computer and that Web site could have been seen by an attacker. Since the Heartbleed bug is now known to approximately every black hat in the world, there’s a good chance someone eavesdropped on any site that had the bug, but didn’t fix it fast enough.
Account passwords are a high-value target and it is likely that many username/password pairs have been intercepted. The only way to rule out yours being among them is if you know how the Web server was configured. Most user’s don’t know that and most companies don’t tell.
This means you need to change all your passwords — but there is no point in doing that till after companies have fixed the Heartbleed bug. A fix is already available so it is just a matter of time until all the company’s servers are upgraded with the fix. According to this article from CNN/Money (posted yesterday, April 11), Yahoo, Amazon, Google, and OKCupid have finished rolling out their fixes and are now secure. You can change your passwords there immediately. For other sites, it’s hard to say: banks and financial companies are probably fixed by now, and the rest will have time to catch up over the weekend. So you should stay off secure Web sites until about Monday, and then change your passwords.
Since you have to change your passwords anyway, now is a good opportunity to improve your password practices.
Understanding Heartbleed continued »