It’s a good thing when a technology vulnerability gets enough attention that it is patched quickly and methodically.
However, it may also raise undue concern due to its complex nature and variety of headlines that leave us consumers confused and unsure what to do. The context of this article is for you and I as consumers and what we need to know and do about it.
First, there’s no sense in expressing any panic since the extent of the compromise may never be known. The only thing we can do is wait for vulnerable services to be verifiably patched, and then change your password.
Here’s what you and I need to do, step by step:
- Identify the services where we store personal and/or confidential information, including sites like Yahoo, Twitter, Tumblr. A list of top 10,000 services that were vulnerable on April 8th at 1600UTC are listed here: https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt. Your company’s own proprietary system is unlikely to be listed there, but your IT department or IT company would know what to check for.
- Check if the services are still vulnerable which you can do here: http://filippo.io/Heartbleed/. Yahoo and Twitter and many others are already fixed and look like this when you check them:
- For each service that is fixed (and only if it is fixed), change your password.
- For extra measure, Nerds On Site would strongly suggest enabling 2-step authentication wherever possible. This is offered by Google, Twitter, Facebook, Microsoft, etc.
Rinse and repeat the above steps.
Many certificate private keys may also have been leaked. This means that in combination with a DNS man-in-the-middle attack, revoked certificates may be used in the future to re-direct you to the thief’s representation of a site and you would have no way of knowing it’s not the real site, unless you apply Certificate Revocation, which is disabled by default in all browsers. We recommend you use Google Chrome and go to Preferences, select “Show advanced settings” and then make sure this is checkmarked: “Check for server certificate revocation” like here:
For a good well-balanced perspective (somewhat technical), Bruce Schneier is one of the most respected voices:
Bruce raises legitimate concerns over embedded systems that may or may not be upgraded that may be exploited. This may lead to more credit card theft in the future, but most developed countries enjoy great consumer credit card protection methods that make this a lesser concern. As United States moves towards chip and pin, the value of credit card databases will also drop very quickly.
So stay tuned, stay somewhat concerned, but don’t fret too much. Time for some more coffee.
Update #1 (April 11): added browser revocation step