Heartbleed -- should we panic now?
Yesterday the IT world went a little bit crazy over the disclosure of the Heartbleed bug and the chance that encrypted information could potentially be intercepted by hackers.
We know that some big sites, notably Yahoo, have been exposed and Google was quick to apply the necessary patches to its servers. If you’re still worried, a number of sites have sprung up allowing you to check if a site has been patched -- thanks to Bob Grant on the comments thread to yesterday’s story for highlighting that one.
Since then some sites have been sending out emails advising users to change their passwords and a raft of experts have been urging the same thing.
But let's take a step back for a second. Heartbleed has been around for two years, so if your information was going to leak there’s a good chance it would have happened already. Also the disclosure of the bug seems to have been done in a very measured way, as neatly satirized on Twitter:
☑ register http://t.co/ZGfyHkwhcr domain ☑ get custom graphic designed ☐ disclose to distros in advance ☑ disclose to public Priorities
— keyist (@keyist) April 8, 2014
The problem is that Heartbleed doesn’t leave a trace, so there’s no way anyone -- other than the bad guys -- knows whether anything has been stolen or not. And because it's a problem on the server there's little you as a user can do about it, except stay offline. This also means that as far as the end user is concerned it's operating system agnostic too, it doesn't matter whether you’re using Windows, OS X, iOS or Android, your data is equally vulnerable.
What then is an end user to do? The first thing is not to panic, this doesn’t affect every single website. In fact for once Microsoft comes up smelling of roses because its Internet Information Services (IIS) server software doesn't use OpenSSL.
Codenomicon which broke the news of the bug reckons that around 66 percent of sites do rely on open source servers that run OpenSSL and are therefore potentially at risk. Even then some of these sites will have used the Perfect Forward Secrecy feature that will have limited how much data could be exposed.
If you feel the need to do something then changing your password isn't a bad idea, it's something you should do occasionally anyway -- though most of us don't -- but do check that the site has been patched first otherwise you're just giving the new password away.
However, this isn't like other recent high profile breaches where lists of stolen data have been posted online. Yes there's a moderate risk that your passwords may have been compromised but you don't need to rush off and start resetting the passwords on every site you use. By all means change them next time you log in, but don't let Heartbleed ruin your day.