You’ve all heard about the Heartbleed Bug by now. You know that little lock or key you see when you type an address into your web browser to show it’s a “secure” site? Well, it turns out there’s a serious bug with the security on sites that use what’s called OpenSSL to make those sites secure. http://heartbleed.com/
Many people have been asking me about it. Here are the answers I’ve been giving friends in the simplest language I can come up with:
1) Does this affect me?
Yes. There’s a good chance that your password and other personal information on many different websites you use are vulnerable and have been vulnerable for the last two years. Twitter, Yahoo (including mail and Flickr), Tumblr and Dropbox are just a few of the major sites that were reported as vulnerable.
2) Should I change *all* of my online passwords right now?
Yes. Maybe. It’s tricky. Until the sites you use update their login security, your new password could still be vulnerable. Many sites have patched the bug already, but it will probably take a while for all the sites you use to be updated and protected. So, yes, you could change your passwords today and do it again in a month… and maybe again a month after that. In fact, you should make it a regular habit to change your passwords once or twice a year at the very least. And certainly for critical things like banking and email. On the other hand…. see the next question.
3) How will I know when all of the site I use have eliminated the Heartbleed Bug vulnerability?
That’s a very good question and one of the most difficult to answer. Many sites are letting users know they have updated their sites already. Facebook, Google, Microsoft, Amazon Web Services and Tumblr are a few of the sites that have announced they have patched the vulnerability as of today. Hopefully many popular social sites and your bank and other sites you share critical personal information with will let their customers/users know their sites are patched. Some experts are recommending you stay off of sites until you hear from their owners that they are indeed patched. In other words, if you can wait a few days to view your checking account balance online, some say it’s good to not sign in for a while.
That’s a horrible non-answer to give people, but there are a few potential temporary solutions. If you use Chrome as your browser, there appears to be a new plugin you can add that will tell you if you’re visiting a site that hasn’t been patched against the Heartbleed Bug. It’s called Chromebleed. I can’t personally vouch for this or the other links below, but I’m trying it out. https://chrome.google.com/webstore/search/chromebleed
On NPR’s Marketplace website tonight, they listed these two other resources that might be useful.
A list of vulnerable and non-vulnerable sites as of April 8th.
A link to test if a site you visit has been patched:
4) I use the same password for everything. Is that bad? Am I screwed?
Yes. That’s really, really bad. Really bad. Even before the Heartbleed Bug was revealed this week, there have been lots of cases of hackers getting access to one password and if you use the same password everywhere, now they have access to all of your online accounts. You should never ever use the same password for your bank or email that you use, for example, with Dropbox, Facebook or Instagram or Tumblr. There are many great apps out that can store all of your different passwords so you don’t have to remember all of your (hopefully) different passwords. Yes, it’s a pain. But having someone hack your bank account because they figured out your Amazon password is the same as your bank password is soooooo much more of a pain.
5) How do I know if my someone has gained access to my information because of the Heartbleed Bug?
Sadly, there’s no way to know for sure. That’s one of the reasons this is such a serious problem. The best thing to do is just assume your information has been compromised and change your passwords. And then keep changing them every month for a while.
6) Auuuughhh. I hate this.
Yes. We all hate this.
I hope this helps. Be careful out there.