Early this week a security vulnerability was made public, given the name of “Heartbleed”. Unlike most security vulnerabilities that never make much news, warnings about Heartbleed quickly spread around the Internet and has even made the mainstream media. Given the propensity for false alerts to spread around the Internet, I’ve been waiting to make sure that this wasn’t an overblown “Chicken Little” situation. However, the news has reached a fever pitch, so let me try to set the situation straight for any one who is confused by all the hysterical warnings.
Heartbleed is the name given to a bug discovered in a particular implementation of SSL/TLS, which is the encryption protocol used for most secure web transactions. This protocol is used by nearly every web site from banks to social media. The bug allows an attacker to gather small amounts of random data from a server that had otherwise been encrypted. Since encrypted data is often sensitive data, the random data that an attacker could have gathered may have been valuable, such as usernames, passwords, credit card numbers, social security numbers, etc. The biggest concern of security experts is that it may have been possible for an attacker to get the “private key” from a server, which would in theory allow them to decrypt all communications from a server at that point. If the security key of a major server had been compromised, a lot of very valuable data could have been extracted.
Make no mistake, Heartbleed is indeed a very critical bug. Any server that was affected and not yet patched their software is putting their users’ data in serious jeopardy. However, for all the dire warnings of impending doom, I believe the hysteria has been overblown quite a bit. This bug even has its own web site and logo!
At this point, most reports are advising people to change their passwords on their online accounts. Obviously it is never a bad idea to change your passwords. It can’t hurt anything and if your username and password was compromised this will effectively protect you. However, based on everything I’ve read so far, the likelihood of your account being compromised is pretty low. While popular, not every web site used the affected version of the SSL implementation. And if the bug had been known to criminals (or intelligence agencies) ahead of the pubic announcement, then the damage would have been done already. Changing your password would prevent any future intrusions, but any valuable data would likely have already been compromised.
Based on my research, it appears that the Heartbleed bug was not known to the criminal underground prior to the pubic announcement this week. It certainly is possible that the NSA or other government intelligence agencies did know about the bug, so keep that in mind. Even if it had been known, the chances of criminals recovering data in a way that could compromise accounts is fairly low, given the fact they could only recover small amounts of random data from a server with each attack. Large-scale attacks would have likely triggered security alerts prior to now, so the bug would have been discovered earlier. Account numbers such as credit cards may have been more easily recovered, but if they had been, you probably would have already had your account compromised by now and taken steps to remedy that. Or your account will be compromised in the future and the only thing you can do is to proactively change your credit card number, which can be a big pain obviously
The bottom line is that ideally you should be changing your passwords with some regularity anyway, so this situation should only enforce the necessity of that practice. Otherwise, it is a potential avenue for identity theft of which there is no evidence of the attack actually being used so the likelihood is low. The reality of Heartbleed is that it is mostly a reminder (albeit a very loud and well-publicized reminder) to proactively protect yourself from identity theft. Companies like Lifelock are probably very happy as I’m sure they’ll see a surge in new subscriptions soon. Otherwise, as for yourself, change your passwords just to be safe and keep an eye on your financial accounts as usual, but please don’t lose any sleep.