The general media has picked up on a huge bug that rocked the tech world this week. I’m sure it’s partially because it has such a great name and logo. But what is Heartbleed and how does it affect you?
This isn’t a virus or malware that affects your computer. It’s a bug in some very critical code that is run by a lot of web servers. Basically, it gives out somewhat random chunks of computer memory to anyone who asks for it. That memory usually contains gibberish but sometimes it will contain things like user passwords or keys to the encryption of all the traffic going in and out of the server. The webcomic xkcd has a very simple explanation of the bug.
There are a bunch of things that need to happen to fix the hole. First the server admins need to patch their systems, get new encryption keys, and replace their SSL certificate. Once that happens, you can complete the final piece of the puzzle by changing your password. Some websites are being proactive and telling you when they’re ready for you to change your passwords. Others are being more quiet about it.
This whole thing has been *gasp* overhyped by the media. Yes, it’s a potentially big vulnerability but the odds of someone exploiting you are low, the patch is relatively quick and easy, and there’s evidence that nobody launched a widespread attack using this vulnerability before it was announced. That being said, updating your passwords is still a good idea. There are various lists around the internet that tell you which sites were affected, but this is one a pretty good resource. They are updating it regularly and telling you when it’s time to change your password (if you need to change your password at all.)
If you’re changing all these passwords but you aren’t using a password manager, consider getting started with something like LastPass.com. It’s free and easy. If you’re already a LastPass member, run their security checker tool. They’ll tell you which of your passwords need to be changed. LastPass was affected by Heartbleed too, but because they encrypt all of their traffic even underneath the SSL encryption, there’s no chance that any of the LastPass data was exploited.
So don’t fret about this too much, but do make sure you’re changing passwords as needed.