Folks, most of you know my day job is in IT, and in part I’m managing hosted environments for well over a million users worldwide. So a big part of my day today has been spent learning about Heartbleed. If you use the Internet, you need to learn about it too.
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
In other words – your email, your online chats, your Facebook, your credit card numbers, your Bitcoin stash … your everything.
From security expert Bruce Schneier – “Catastrophic” is the right word. On the scale of 1 to 10, this is an 11.
So, what should you do? The Atlantic has a good summary.
Change the passwords for the handful of sites that really matter to you. I’ll explain how you can do this in a total of ten minutes or less. Thisprobably isn’t necessary, but just in case…
Do not ever use the same password at two sites that matter to you. Ever. Heartbleed or not, this lowers the security level of any site with that password to the level of the sleaziest and least-secure site where you’ve ever used it.
Use a password manager, which can generate an unlimited set of unique, “difficult” passwords and remember them for you.
Use “two-step” sign-in processes wherever they’re available, starting with Gmail.
Read what happened in our family three years ago, when one of our Gmail accounts was taken over by someone in Africa, if you would like a real-world demonstration of why you should take these warnings seriously. It’s from an article called “Hacked.”