Millions of people around the world will have woken up on Thursday morning to hyperbolic newspaper headlines about the Heartbleed Bug suggesting the internet is about to collapse if they don't change all their passwords now - if not sooner.
The situation is not quite that dire, but it is still very serious.
The problem now is that while some people are shouting at you to change your password, others are telling you to wait - something we have already discussed at length here.
The conclusion we came to was:
Change your passwords, but only once the service in question has updated its software and issued new encryption keys.
This throws up even more questions however:
- How do I know if the website I'm logging into has been affected?
- Has it updated to the latest version of OpenSSL?
- Has it issued new certificates?
Luckily there are some resources to hand to help you find out which websites are affected and which have taken steps to remedy the situation if they have been affected.
The first thing you can do is to plug the website's URL into one of the many Heartbleed checkers set up in the wake of the security flaw being released. Here are three:
If you find the website you are checking is vulnerable, then you should wait before changing your password, as doing so now won't protect it from those sneaky cybercriminals.
While these online checkers will tell you if a site is or isn't vulnerable, they won't tell you what the website has done to correct the problem.
It is safe to say that most of the big online properties have taken the relevant steps to protect their users, but Mashable has put together a comprehensive list of who's done what, and more importantly what you may need to do.
One version of Google's operating system is also vulnerable (Android 4.1.1) is also vulnerable, so if are worried your phone or tablet is running this version of Android, you can check with Lookout's Heartbleed Detector app.
Some websites and online services have issued their users with comprehensive status updates by email, but this is the exception rather than the rule unfortunately.
One reason companies may have for not issuing such emails is that customers could think they are phishing emails trying to lure them into visiting malicious websites.
And this is a very real threat, as cybercriminals are likely to use the huge interest in Heartbleed to lure unsuspecting people into downloading malware or visiting malicious websites.
Be careful out there.