Security researchers have discovered a serious vulnerability in OpenSSL, the cryptographic software library that protects many web sites on the internet. Here’s what that means for you, the average user.
There’s a lot of technical information and nuance here, but we’re going to try and make this as simple to understand as possible. If you’re more tech-savvy, I highly recommend reading the Heartbleed FAQ here, which provides more information on the problem.
What Is OpenSSL and Heartbleed?
OpenSSL is an open-source implementation of SSL and TLS, the protocols that secure much of what you see on the web. Recently, a critical bug was discovered that has been present in OpenSSL for over two years, that can allow anyone on the internet to possibly uncover names, passwords, and content you send to a seemingly secure web site. As you can imagine, this is a big deal.
What Sites and Services Are Affected?
The Heartbleed bug, as its now known, affects any sites and services running specific versions of OpenSSL (1.0.1 through 1.0.1f). Many sites may run older versions of OpenSSL that are not vulnerable, and many have likely already updated to a fixed version. Furthermore, not all sites and services use OpenSSL. For example, 1Password secures their information via different means. LastPass uses OpenSSL and was vulnerable (until this morning), but due to extra encryption that happens on your machine, LastPass says your data is still safe.
It is estimated that over 66% of the web uses OpenSSL, so a good portion of the web may be vulnerable. You can test certain sites using this tool, though it won’t answer whether a site was previously vulnerable at any point in the past. You can find a list of possibly affected sites here, but check their respective blogs for any recent updates—and keep in mind they may have been vulnerable sometime in the past two years (Google and Facebook, for example, are not listed as currently vulnerable, but have yet to issue any official statements).
What Can I, the Average User, Do?
Unfortunately, there’s not much you can do about this. The only way to fix this problem is for the vulnerable sites to update OpenSSL and reissue their security certificates.
If possible, try to avoid connecting to vulnerable sites and services until they notify you of a fix. Changing your password won’t help until the site has fixed the bug, so wait for confirmation from your favorite sites before you go changing passwords. If and when you do get confirmation, audit and update your passwords as usual. If a site is not vulnerable but doesn’t issue a statement, change your passwords just in case they were vulnerable in the past. After all, it can’t hurt. Update: LastPass now has a tool that lets you know what passwords to change, and when. Awesome!
This is just a really basic rundown of what’s going on and how it affects you. Like we said, if you’re a bit more technically minded, this Heartbleed FAQ has some more technical information about what’s going on. Other than that, the best thing we users can do is wait and stay vigilant.
(Portions of this article appear courtesy of Lifehacker.com)