Massive Internet Security Vulnerability -- Here's What You Need To Do
So what should I do?
Before performing sensitive tasks over HTTPS:
Check a reputable list of websites
that do not run OpenSSL. Mashable published such a list – and many major banks are on it. If a site did not run OpenSSL on any of its equipment in the last few years it was not vulnerable to the current bug. Of course, if you use the same password on a site that was/is vulnerable as you do on a site that is not vulnerable you should change it on the non-vulnerable site ASAP.
If you check the list and find that a site was indeed running OpenSSL – check if the site was patched.
Most (if not all) major sites did patch. In that case, it is probably a good idea to change your password on that site ASAP. Be careful, however, not to weaken the strength of your passwords just because you have to update several at the same time, and do not reuse passwords that you use on sensitive sites. Don’t let HeartBleed cause you to create new password risks.
If you find some site that was vulnerable and for some reason has not confirmed that it has patched (and, hopefully, there should not be too many like that) – I would wait to change my password, and, if possible, either check the site myself using one of the reliable tools to do so (e.g., http://filippo.io/Heartbleed/
) or refrain from using the site until I could confirm that a patch has been applied.
As described above, changing your password before the patch is applied could actually worsen the situation.
Be wary of phishing attacks – type in the URL of any sensitive site to which you are going. Do not click links
to get there. While I have, in the past, demonstrated methods of using various exploits to impersonate sites that use SSL, those hacks required much more effort than doing so would take for someone who stole a certificate and key. Until all possibly-pilfered SSL certificates are replaced as described above, the potential for real-looking phishing sites is enormous. So be wary.
Hopefully, browser vendors will also add code to warn users accessing sites running vulnerable versions of OpenSSL – so, make sure to keep your browser up to date.
Of course, the above reflects my opinion, and others may feel free to disagree.