On Thursday morning people in the UK woke up to find their newspapers screaming headlines like: CHANGE ALL YOUR PASSWORDS
The Heartbleed Bug was initially revealed on Monday but has only really gained mainstream media attention in the last 24 hours. People are finally beginning to realise just how serious an issue this is, and everyday users of the internet are beginning to get worried that everything they do online is going to be compromised and exploited by some cybercriminal in a dark room somewhere on the other side of the world.
While this scenario may seem like hyperbole, it is not too far from the truth.
Therefore the question is, should you change all your passwords as the Daily Mirror suggests?
There are two trains of thought on the matter:
- Yes, change all your passwords right now
- No, wait until you are asked to change them
The problem is that the Heartbleed bug does not affect any software which internet users are using on their own machines, it affects the servers (well, two-thirds of them anyway) which underpin the infrastructure of the internet.
Therefore, it is up to the administrators of the websites affected to update their software to the latest version of OpenSSL.
It means that changing the password for your online supermarket account before the supermarket in question has had a chance to update its servers is pointless, as cybercriminals will still be able to access your details.
Unless you get an email from the website, the easiet way to check if a website is still vulnerable is to use LastPass' checker on its website.
However, when the software has been updated, there is no question that you should change your password, because even though there is no way to know if the website has been compromised (as attacks leave no trace), it is always better to assume the worse and change your password.
Beware Heartbleed phishing emails
Websites should let their users know what is happening. They should email everyone and update them about the steps being taken to protect their customers identity, just as online task manager Wunderlist has done (right).
Unfortunately not all online services and websites are as conscientious as Wunderlist and you may have to contact some services yourself to find out if and when they plan on updating their servers.
This however opens up another can of worms. Criminals will now known people will be expecting to receive emails about Heartbleed and will use this to their advantage to send phishing emails to trick people into downloading malware or visit malicious websites.
Gmail, Yahoo, Facebook, LinkedIn
Is is however, safe to assume that most major online companies will have already taken the necessary steps.
Mashable has put together a comprehensive list of the major online companies like Facebook, LinkedIn, Yahoo and Google telling you if you've they've been affected, if there is a patch available and if you need to change your password.
Some companies like Microsoft and services like Gmail were not directly affected by the Heartbleed Bug because they use proprietary encryption software which doesn't rely on OpenSSL. However it is still worth changing your password for these services because, despite warnings to the contrary, most people use the same password for a number of online services, meaning if cybercriminals get access to one of your online accounts, then it could have access to all of them.
The same advice holds for your banking and financial accounts. These also use proprietary software but because you may use the same password as your Yahoo email account (which was vulnerable), you should change it as a precaution.
A big problems for websites is that they can't tell when or if someone has access their 'secure' communications. And considering that the flaw in the OpenSSL software was first introduced over two years ago, it could be that it has been exploited for a long time without anyone knowing about it.
Another issue facing those affected by Heartbleed is that some security experts believe cybercriminals exploiting it could access the encryption keys used by websites to encrypt and decrypt secure communications.
If this is the case, then even after the website updates its software, cybercriminals could continue to anonymously monitor all website traffic without anyone knowing.
Therefore all websites are being advised to update their SSL encryption key as well as the OpenSSL software as a further precaution.
So, Should I Change my Passwords?
Unfortunately, after all that there is no one-word answer. The best answer is yes, but only once the service in question has updated its software and issued new encryption keys. Unfortunately, due to the unwieldy nature of the internet, those steps are not going to be taken by all your online services at the same time - if ever in some cases.