Heartbleed

No doubt you have heard about the Heartbleed security vulnerability, discovered earlier this week by engineers from Google and another security firm, and how it potentially could permit eavesdropping on Internet transmissions thought to be securely encrypted on some two-third’s of the Web’s servers.

Here is a pretty good lay explanation of how Heartbleed works:

OpenSSL Heartbeat (Heartbleed) Vulnerability (CVE-2014-0160) and its High-Level Mechanics from Elastica Inc on Vimeo.

UPDATE:  And maybe an even better illustration here!

As this is a matter basically to be resolved by the sites and service providers themselves — the IT people at my workplace are scrambling to get any appropriate fixes in place, as is surely the rest of the tech world — end users can’t do much about the potential threat until the sites they use have been patched, otherwise the new passwords and critical private data will just continue to be exposed.  (You can do some degree of testing yourself using the form at http://filippo.io/Heartbleed/, for example.) 

NOTE: None  (of the good guys) knows whether this vulnerability has
actually been exploited.  But the enormous potential for havoc indicates
that we should better be safe than sorry.

So my personal approach is to avoid using any sites or service providers (just for those that I have previously set up accounts or provided personal data, and log into with an “https://” protocol, of course) that I am uncertain about, then when I am assured that they have implemented the fixes, change my passwords.  And if I MUST use those sites in the meantime, I am prepared to change my passwords at least daily to hopefully minimize my exposure.

For a more complete and technical rundown, visit http://heartbleed.com.