It's bad, friends. The Heartbleed Bug is bad. That little lock icon that you see up in your browser's address bar when you're logging into a site or entering your credit card number? Turns out it's not all that great at protecting your private information after all.
Here's what's happening and what you can do about it.
What's going on? Should I panic? I should panic, right?!
It's not time to panic. It's just time to be vigilant – extra vigilant. By some estimates, this bug could affect around two-thirds of web servers and, as stated above, it could affect sites you log into -- email, social networks, even a VPN you might use for work.
Unlike a conventional security breach where malicious attackers break into a site and download a bunch of encrypted usernames and passwords – usernames and passwords they then have to crack open, which can be extremely difficult if you use a good password – this bug lets attackers grab information in relatively tiny chunks of data as it's flowing through a server.
That means that you'd have to be logging into a site or entering your credit card number at the exact time an attacker is grabbing a chunk of data. Unfortunately, this bug has shown that sometimes usernames, passwords and other protective data can be grabbed unencrypted, meaning that once it's grabbed, there's no need to then crack it.
There are four types of data that can be grabbed. They are, from most to least severe: encryption keys; user info like passwords and usernames; "protected content" such as email messages, instant messages, credit card numbers and more; and "collateral content" such as data and code used to make the website function as intended.
So I should stay home all day and change all my passwords, right?
No, you should go to work. (Sorry.) It's up to the site in question to first fix the vulnerability. If the bug hasn't been fixed, changing your old password to a new password would just result in your new password being susceptible to the 64-bit data grabs described above.
If a particular site has been fixed (see the next section), then you should probably change your password to be on the safe side. Here are some tips for creating a strong password.
How can I tell which sites are affected?
If you're about to log into a particular site, go to this link first...
...and enter the site's address in the search box. It'll tell you if the site in question is still vulnerable or not.
If a site you use every day is not affected, it's a good idea to change your password for that site now that it's patched up. Assume it was vulnerable at one point and is now okay, just to be on the safe side.
If a site you use every day is affected, it's best not to log into it until it's been patched. If it's a site that's affected but you don't log into it with a username or password -- like, if it's a site you go to read news or look at cat pictures or whatever -- then you should be okay. Still, be vigilant.
How long will this take to be fixed?
It'll take a while, but many site administrators are scrambling to shore up their sites as quickly as possible. However, in many cases, the process involves getting new security certificates and keys from a Certificate Authority to lock everything back down again – and there are a lot of security certificates being used on the web nowadays. Assuming a majority of them need to be canceled and re-issued anew, we could be dealing with this for quite some time.
One of the big issues is that if the main security key responsible for locking down a site gets exposed in one of the data grabs, whoever grabbed it could then set up a dummy site that looked legitimate to steal info from unsuspecting users.
Where can I read more about this?
There's a Heartbleed Bug website that has the technical details. It's not light reading, by any means, but it's interesting and important if you're into this kind of stuff. Dan Goodin over at Ars Technica has a good piece on the bug as well, with details about how the bug worked on Yahoo's servers (those servers have since been updated).
Heartbleed Bug [Heartbleed.com]