If you pay any attention to the tech press you will have seen many hysterical mentions of the Heartbleed Bug in the last week, including some contradictory stories as more information came out.  After we have had a few days to settle down the picture is now much clearer.


So what is it?

The Heartbleed bug is a serious problem with the popular OpenSSL cryptographic software library.  Under the proper conditions it allows an attacker to steal parts of what should be a secure conversation between your computer and the server.  This can include username and passwords, credit card details and the keys that the server uses to secure itself.

The bug only affects OpenSSL and only a certain version of it but added together this is around 20% of the net.  It is also used by some instant messaging clients and some VPNs.  To give you some idea of the scale of this affected sites include Yahoo, Google and Facebook.

Should I worry?

Probably.  When the flaw was first made public there was not any proof that it had been used by bad guys but as several days have passed you can be sure that it is now being actively misused.  In addition there have been several indications that the NSA has known about the flaw for a long time and has actively using it to monitor and spy on the net.

What can I do?

unfortunately there is not a simple answer.  The normal advice of going to change your passwords does apply but only when the web server has fixed the bug and made themselves some new keys.  If you change the password before the server fixes the problem it will do you no good at all.

If you are a Lastpass user there is a tool available that will check that the server has been updated and re-issued, but unfortunately it will only work if you were a Lastpass user before the bug became general knowledge.  Your best bet otherwise is to check your frequently used sites here or on this top 100.  Once the sites have updated the flaw and changed their keys you should log in and change your password and any security information.

There will inevitably be some smaller sites that either do not update or take a long time doing so.    I’d recommend that you think carefully before using those as the chances are they will be insecure.

Finally you can watch your bank and credit card statements very carefully.  There have not been any reports of financial problems or scams caused by the bug but they are inevitable at some point.


Leave a Reply