You've probably heard of this “HeartBleed” problem that tech folks are talking about. But what does it mean for you?
It means that, for every site on the Internet where you have a password, you probably need to change the password. Not yet, but when the site has fixed their issues.
You use a web-browser to connect to a web-site. For secure web-sites, you get a padlock, as your web-brower uses something called “HTTPS” to connect to the server. The way that HTTPS works is to make normal web-site requests (“HTTP”) over a connection made secure with “Transport Layer Security”, or “TLS” (old and now-insecure versions of which were called “SSL”).
The software used by a majority of sites to implement TLS had a tiny coding mistake which has had huge consequences. A “heartbeat” mechanism was implemented without a safety check on a value received, which would result in the server sending back chunks of extra things it currently knows. Such as, say:
There is evidence now of attacks going back at least as far as November 2013. So “the bad guys” have known about this for a while and have been collecting data. This is not some airy theoretical attack which maybe somehow a bad person could use. The bad people have been using it. Passwords have been stolen. Keys have been stolen.
Not all sites are affected, but so many that you have to assume they have been, until they say otherwise. The best current estimates are that more than two thirds of all secure web-sites are affected.
Some sites use special devices called “load balancers” to handle the TLS; some versions of some of those load-balancers are based on OpenSSL and are affected. We suspect that some sites who claim that “we don't use OpenSSL” are being careful in their phrasing or have only done a superficial analysis and have not fully analysed whether or not the dedicated appliances they use, such as load-balancers, mean that their customers are impacted.
There are various tools around which let you see if a site is still vulnerable; using these tools against a site you are not responsible for running is an attack and is probably a federal offence. Don't do it. Besides, they don't tell you if the site is safe to use yet.
See, the site operators need to:
There are no safe short-cuts
This has to happen for EVERY WEBSITE WHICH HAS PASSWORDS. Every. Single. One.
That's why this is such a big, huge, deal.
So, how do you know which sites have done this? You have to find their announcement. We're tracking announcements, to build a big searchable list which you can use to find details for a given site.
Have fun changing those passwords.