There’s something about running around changing your passwords, two years after an exploit’s discovered that seems kind of pointless but it’s definitely worth doing. In reality there are potentially thousands of vulnerabilities in web browsers, communication protocols, web software and proxies in existence even now. Anyone with the skill, knowledge and resources can potentially break into any system anywhere.
But the main point is that those people who can do this are pretty rare and many are completely honest. The problems really start to grow with something like the Heartbleed bug, is when they become common knowledge then a simple virus or exploit is never far behind. This is when the danger comes, as soon as there’s a simple method to exploit a bug like this – suddenly the risk escalates. Suddenly anyone with a modicum of of technical skill can start harvesting usernames, passwords and credit card numbers.
Now is that time, the Heartbleed bug is no longer a vague vulnerability in Open SSL, it’s hit the mainstream and it’s extremely dangerous. Some of the biggest sites on the internet use Open SSL for their security.
The problem is that if you change all your passwords now, if the web administrators don’t install the patch and fix the bug it makes no difference. So you might change all your passwords, visit a web site that is still running the compromised version of Open SSL and the work has been in vain. People will have to start taking their own measures for security, after all with issues like Heartbleed the fix lies with the web administrator.
There are ways to protect yourself of course, one way is to use encryption. I use a little security application that encrypts my connection. I primarily use it as a way to watch UK TV abroad, see this video, but it also allows me to completely encrypt all the data that is passing between me and the server when I surf the web. Of course I still take the risk that the encryption algorithm is secure and the administrators of the proxies I use are configured correctly but in truth my connection and data is many times more secure than anyone elses.
Even in the worse case scenario, I visit a web site which has failed to patch Open SSL and is being actively monitored by a group of hackers. MY data will be protected, an unreadable stream of encrypted data among everyone else’s clear text accounts and passwords. What is more my data will also not sit stored in logs at my ISP for anyone to view and my IP address faked and hidden – like this
to stop the websites I visit logging my details too!