On April 7, 2014 we learned of a vulnerability in the OpenSSL security system that you know is in operation when the webpage begins with https instead of http. It is the encryption system used to protect confidential information such as passwords and most sites that deal with sensitive information use it. This vulnerability allowed third parties to intercept and get that information.
When I write about computer security I know that I am hopelessly out of my depth but like most people I have been stymied by the conflicting advice about what to do about the latest ‘Heartbleed Bug that enables someone to get large amounts of information from servers and not leave any trace. While this has caused great alarm, it is not clear what any ordinary person should do.
Some have rushed to change their passwords immediately but apparently this is not advisable until patches are installed to fix things. Some have recommended that you wait until you hear from that company that it is safe to log in and that you should then change the password. Others have said that that companies may not contact you and furthermore, unscrupulous people take these panicky opportunities to send out fake emails as if they are from the companies and when unwitting people click on those links, they are actually giving their information to the wrong people.
Here is what I have learned and I hope the much more knowledgeable people in this blog’s readership will chime in.
Not all sites have the security flaw. Here is a list of popular sites that may have been compromised. I got an email from my university that they have checked our system and that we appear to be secure and that they are not asking us to change passwords, not yet anyway. They also gave a link to a site where you can test the SSL system of any company you do business with and see if there is a security risk there by inserting that site’s URL into the search box. For example, it says that my bank site secure against the Heartbleed bug.
What I am doing is not logging into any site that has the kind of information that infiltrators might want (like banks) and that require a password until I have first checked that site using the above link.
Stephen Colbert is also panicked about it.
(This clip aired on April 9, 2014. To get suggestions on how to view clips of The Daily Show and The Colbert Report outside the US, please see this earlier post. If the videos autoplay, please see here for a diagnosis and possible solutions.)