How to respond to the Heartbleed crisis
Philip Ellison 10 April, 2014 at 03:04
If you haven’t already, you should change your internet passwords. All of them. Now. Go on, we’ll wait.
All done? OK. Here’s why it’s so important to be vigilant: a critical security flaw in OpenSSL has left up to 66% of internet users vulnerable. The Heartbleed bug, so named for the way it leaks private user information like passwords, means that individuals with a basic to moderate level of technical skill are now able to harvest sensitive information.
Security Socks Layer, or SSL, is the protocol which adds the ‘s’ to ‘https’ in URLs, and makes websites safe. Organisations that use OpenSSL, an open source product which implements this protocol, are the ones at risk. Security company Codenomicon and Google Security made this flaw known to the public at the start of the week, and most alarmingly, noted that the bug has been in existence for up to two years.
“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested,” says a Codenomicon representative. “In that sense it’s a good idea to change the passwords on all the updated web portals.”
Blogger Bruce Schneier described the potential impact of Heartbleed as “catastrophic”, and urged readers to test their own vulnerability with the ‘Heartbleed test’. Similarly, Betsy Isaacson at the Huffington Post advises individuals to wait for websites to confirm via their official blogs that they have a patch for Heartbleed, and then change their login details as soon as they can. Giants such as Google, Yahoo and Amazon are out of the woods now, but it may take a while for smaller websites to protect themselves.