The HTTPS lock icon we’re all used to trusting in our browsers hasn’t been as trustworthy as we’d like to believe.
Ever since the good folks at Codenomicon and Google have publicized the OpenSSL implementation bug known colloquially as Heartbleed, two questions have come to the forefront for each Internet user: What sites have been compromised, and what do I need to do about it?
OpenSSL, an open-source cryptographic library project which began in 1998, has been vulnerable since December 31, 2011, which means that many current versions of the most popular traffic-encryption service currently running are compromised.
Apache Tomcat users are particularly endangered, because OpenSSL comes bundled with that web server. Apache today released information on mitigating the Heartbleed vulnerability.
In total, it is believed that 17% of all SSL web servers can currently allow hackers to view purportedly secured information. These affected sites reportedly include Twitter, Yahoo, Tumblr, Steam, DropBox, and many more of the most popular URLs on the Internet. Among those, Tumblr has already reacted by advising all users to change their passwords.
On the website-operator end, Hostway has determined that 4 percent of Hostway’s total server count may have been affected by this OpenSSL issue, and has contacted each customer regarding steps to become more secure.
While affected sites are busy reissuing their security certificates to rectify the situation, Internet users are left wondering what they should or can do about the issue. Here are three tips on staying safe:
Firstly you can use this site to determine if a site is vulnerable. But it may be best to proceed as though all your accounts have been compromised. Here's a handy list of major sites, if they were vulnerable, if they've acted, and if you should do anything yet.
Secondly, it’s important to note is that changing your password before a site corrects the issue doesn’t completely address the security issue. Major websites subject to the vulnerability will likely publicize their response to it; once they confirm that their security certificates are updated, then change your password there. OpenSSL has already addressed the issue on its end.
Finally, it will be impossible to determine if attackers have intercepted user passwords in the interim unless a problem arises. So until you get the all-clear, don’t log in to affected sites at all. With the vulnerability as high-profile as ever, it seems more likely now that hackers will be aware of the opportunity to exploit the weakness.
So while you’re waiting to browse the web and figuring out how to generate new passwords, check out xkcd’s advice on the subject.