Really. This is a huge problem. There’s a bug in the security encryption software used by large segments of the internet (possibly millions of websites) to encrypt and secure private data from being transmitted to the internet which causes data leaks (passwords, user names, banking info, etc.) when the server communicates with a computer attempting to communicate with that server. Worse: The data can be stolen without leaving a trace, and impersonations would go undetected. Heartbleed is also thought to affect browser cookies.
So, instead of a wall, there’s a sieve. The bug exists in OpenSSL which is the most common software used to secure data. This software had been thought invulnerable. This bug allows criminals to eavesdrop on the connection and potentially obtain the encryption keys used to secure the connection (the Transport Layer Security – TLS) potentially revealing 64K of memory.
The good news is that there’s a fix already out there, but in addition installing the fix, there is a need to generate new keys, and new digital certificates will be needed.
So…if you own a website which employs logons with usernames and passwords, you should get the fix to OpenSSL and revoke any compromised keys, generate new ones and get a new digital certificate.
For regular folks on the Internet, c|net has put out a “What you can do to protect yourself” here.
Do not log into accounts from afflicted site until you're sure the company has patched the problem. If the company hasn't been forthcoming -- confirming a fix or keeping you up to date with progress -- reach out to its customer service teams for information, said John Miller, security research manager for TrustWave, a security and compliance firm.
Some Web sites that appeared to have been affected included Yahoo and OKCupid, though the companies have said their sites are all or partly fixed (see below for details). You can check sites on an individual basis here, though caution is still advised even if the site gives you an "all clear" indication. If you're given a red flag, avoid the site for now.
The natural response might be to want to change passwords immediately, but security experts suggest waiting for confirmation of a fix because further activity on a vulnerable site could exacerbate the problem.
Once you've got confirmation of a security patch, change passwords of sensitive accounts like banks and email first. Even if you've implemented two-factor authentication -- which, in addition to a password asks for another piece of identifying information, like a code that's been texted to you -- changing that password is recommended.
Don't be shy about reaching out to small businesses that have your data to make sure they are secure. While the high-profile companies like Yahoo and Imgur certainly know about the problem, small businesses might not even be aware of it, said TrustWave's Miller. Be proactive about making sure your information is safe.
Keep a close eye on financial statements for the next few days. Because attackers can access a server's memory for credit card information, it wouldn't hurt to be on the lookout for unfamiliar charges on your bank statements.
Tor (of anonymous browsing fame) has even recommended staying off the net for a few days until things settle out. Tests on the Google, facebook and twitter appear to have good results (the sites appear to be safe).
Yahoo is not fully, yet:
"I encourage users to not log in into [Yahoo] and other services that are affected since the credentials could have been leaked if they used the service," said Jaime Blasco, director of AlienVault Labs, a security research firm. "As soon as Yahoo solves the issue, it will be helpful if users change their password just in case."
Update:
Seth Rosenblatt over at c|net has put together a list of the top 100 internet sites and their Heartbleed status.
This list is being updated as he receives answers. If you're interested in keeping your data private, I's suggest changing your passwords,
checking sites you use (not on the top 100 list) with the link in reply 4 http://filippo.io/Heartbleed/
and reviewing the list here: http://www.cnet.com/news/which-sites-have-patched-the-heartbleed-bug/?ftag=CAD1acfa04&s_cid=e404&tag=nl.e404&ttag=e404
periodically.
Source:
http://phys.org/news/2014-04-heartbleed-bug-triggers-openssl-advisory.html
http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/