heartbleed-bug-banner

In the last few days, most news about online security are talking about Heartbleed Bug. What is it? How it affects us? Why does it matter?

Heartbleed Bug (or some sites call it Heart Bleed Bug) is a massive vulnerability found in OpenSSL, the open-source software package broadly used to encrypt Internet communications, including HTTPS. This bug allows some scripts to easily retrieve private data from vulnerable servers, including username and passwords. Heartbleed bug was discovered by Codenomicon team and Google Security team simultaneously.

Who should worry?
Basically, all webmasters and security specialists must check their websites from this vulnerability. Some of the sites might be unaffected, but since OpenSSL is a highly popular package to secure Internet communications, this bug seriously affect a huge number of Internet sites.

I’m an ordinary person, should I worry?
If you use Internet and have ANY login or online account (including but not limited to emails, Facebook, Twitter, Paypal, online banking) then yes, you should worry. It means, somebody could have access to your data, your password, or even your banking or credit card information.

Which sites are affected?
There are too many sites in the Internet and it’s not possible to list all of them one-by-one. However, as general guide, most of them are affected, but some of them might have fixed it within few hours after this bug was discovered. Google announced that they are confident that they have fully fixed all their services before any private information was retrieved through this bug. Nobody knows whether this is true or not due to the lack of technical information, but to me it makes sense since their Security Team is one of the two teams who discovered it. Naturally they have more time to fix it first before public even heard about it. Facebook and most social media sites were affected prior to the announcement of this bug, but as this article is written, most of them have fixed their services. Yahoo is the only major web company that still has vulnerable servers by the time public heard about this bug. So Yahoo accounts have the highest possibility of being compromised. Some news suggests that Yahoo has fixed SOME of their services, but not all. And since Yahoo account is synced across their services, having ONE service still vulnerable means our entire account is still vulnerable.

Should I change my password now?
It depends. This bug needs every sites and every company to do their own checks and their own fix. It’s recommended to change your password for a particular site or service as soon as they have fixed their server from this bug. However, this does NOT mean that you should change all your passwords immediately. If you change your password before a site fixed their server, then your new password will be vulnerable too.
So wait, don’t change it too fast, don’t change it too late. Most probably you will need to change your passwords for different sites at different times.