I received an email from a friend of mine the other day asking if he should change his passwords in response to the all the news from Heartbleed he was hearing. Before I respond let’s take a closer look ate the vulnerability and the risk.
For those of you that haven’t heard OpenSSL 1.0.1-1.0.1f has an issue in the heartbeat (thus the name heartbleed) command that dumps the contents from memory over SSL. Why is this a concern? Well for starters OpenSSL is used on millions of sites secondarily,let’s look at to what may get stored in memory and therefore be readable from this attack: Accounts, Passwords, Secret SSL Keys, and many other juicy bits. If the secret SSL keys are stolen then the site would have to 1. upgrade to OpenSSL 1.0.1g (fixed version) and then regenerate a new SSL key – a task that is a bit harder than the traditional “patch and repair” job. On the other hand if my account information was in memory at the time the site was attacked and there is thoughts that folks that knew about this could have been constantly dumping all the information off of sites (According to Schneier chance are 1 that info is stolen https://www.schneier.com/blog/archives/2014/04/heartbleed.html).
The fact they have my data, is what concerns me the most (yes, if they have the sites keys they could do bad things as well). This is why I told my friend a resounding YES – time to change your password. I understand that this may not be the easiest task but better safe than sorry. If you haven’t already, I would suggest that you look into a password safe technology solution that will make this and future password resets easier.
Want to learn more about Heartbleed check out the heartbleed.com website.