The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed Bug undoes any web encryption to reveal data. Passwords are very vulnerable at this time because of the Heartbleed Bug. Any type of encryption you use online is vulnerable to theft. Someone can steal your online information easily including, passwords, emails, documents, and more. So it is extremely important that you change your passwords ASAP!
If you want a structured way to go about the password change, we recommend changing important passwords (banking accounts, sites that you know are storing sensitive information, sites you visit often, etc.) first. You may also want to confirm that sites have fixed the vulnerability or you may end up changing the password a second time. Please use our comment form below if you are aware of major services that have had their security updated for the heart bleed bug and we will update this article accordingly.
I have users asking if they should reset passwords for online services that we use. Since the security sites are mixed on next steps I don't have a good answer. Some say not worth doing until we know the service has been patched because until then the new password is also vulnerable. Other sites, like the site above, say change passwords immediately and don't wait for patch verification , and then change passwords again if needed.
So far I have done nothing. From what I've seen, GMail was using the buggy version of OpenSSL but they have fixed that already. (Or so I understand -- there's a lot of nontechnical writing about the issue which ignores or confuses important details.) And I'm a GMail user. But then there are millions of other GMail users, and also from what I've seen you can't use this exploit to target specific users, only to get random data from the server which might contain useful information for the malefactor. And even that information has to be reviewed by a human, so it's far less damaging than other exploits in the past which just stole databases containing unencrypted passwords. Which means that the chance that my password has been revealed is quite small.
But like everybody else I'm not a security expert and there are certainly things going on here which I don't comprehend. So you could reasonably accuse me of making up a story to support my bias towards inaction.
Changing passwords is generally done too rarely, so anything that convinces users to do so is a good thing, IMO :-) But yes - as long as the site in question in unpatched, it should be done again after the patch. But there's more to it - as Paul said, random data could have been grabbed, so any credit card information submitted to vulnerable sites, or anything else for that matter, could conceivable have been exposed.
It's also important to consider the timeline. The bug in question was introduced on January 1st 2012 (makes you wonder if the developer was hung over :-), so only sites would be vulnerable that installed a fresh OpenSSL version some time after that. I have ensured that the sites I'm responsible for were not vulnerable (due to using an older OpenSSL version). That's the minimum anyone in charge of a publicly accessible site should do.
As usual, Bruce Schneier has some good information and some salient links, including a vulnerability checker, more in-depth articles, an XKCD cartoon, and this sobering quote:
Bruce Schneier wrote:At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
It depends on the Linux distribution; the one we use has stuck with OpenSSL 0.9.8, which -as you see here- has had numerous releases even after the 1.0.1 version that introduced this particular bug.
Security is a conservative business. On the desktop I might agree with "newer is better"; on the server not so much, at least not without careful evaluation. The potential benefits of updates have to be weighed against the potential costs; installing updates frequently is generally not an option. That said, OpenSSL -especially the widely used version 0.9.8- has had a good reputation; an update did not seem necessary.
Oh, and as to "The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything." - two years ago this would have seemed like a conspiracy theory. In a post-Snowdon world, we know this kind of thing has happened.