Be Still My Heartbleed

You probably have read about the Heartbleed Internet bug.  If you haven't, you should.  Seriously.  To be clear, Heartbleed is a bug, not a virus.  There's a huge difference.  It's a hole in coding for security certificates that websites need -- it's not an attack that others are making.  But it opens a vulnerability for attack. A huge vulnerability.

Friends have asked me my thoughts about it and what I think they should do.  The truth is -- I don't know.  It's outside of my paygrade.  I've read a bit and do have some thoughts, but I don't have a clue how valid they are.

(UPDATE:  After writing this article, I checked with my high-techie friend Ed Bott to see if I was way wrong or on the right track with what I write here.  Happily, I actually seem to have been pretty close.  Go figure.  I'll include his comments at the very end.  Okay, back to what I was saying...)

This article here, though, in the Washington Post is very good and well-worth reading.  "Well-worth" in this case means important.  Being in WaPo, rather than a tech journal, it's written in a reasonably accessible style for the general public, not for a techie crowd.

Just so you know a  lot of high-end tech sites are recommending that people change ALL their passwords.  While that's probably the best tech advice -- I'm not sure if it's the most feasible advice, or even necessarily worthwhile.  I could be very wrong on that, but here's my thinking:  what most people don't realize is that the vulnerability created by the Heartbleed bug has actually been around for two years.  So, there have been two years when you and everyone has been vulnerable already.  (Yes, there have been big attacks on websites, but they haven't necessarily been because of Heartbleed.)

The additional issue to consider is that even if you change all your passwords -- but the websites in question don't upgrade their own security certificate -- it doesn't matter what's you've done.  You'd still be vulnerable.  (And as the Washington Post article also notes -- "Changing your passwords won't protect you if you give them unwittingly to a hacker pretending to be your Web mail provider.")  On the other hand, if a website hasn't yet been hit, and they do change (or have already changed) their security certificate...then you're safe, whether or not you've changed your own password.

The thing to keep in mind, to repeat, is that this Heartbleed thing is about websites upgrading their security certificates to get the vulnerability fixed.  Not that there is a virus (there isn't) or an attack going on.  There isn't.

It's also important to keep in mind that the log-in sites to be most concerned about are the high-end ones that hold significant data, like banks and credit card information and such -- and those are the ones that studies have shown to have patched the hole already or (even better) didn't have a problem in the first place.  As that Washington Post states --

"The good news is that many of the Web's most critical sites — those belonging to banks and governments — were not vulnerable to Heartbleed in the first place, and so they won't have to reissue their certificates. Other businesses, such as Facebook, Dropbox, OkCupid and Netflix, were affected by Heartbleed and are either in the process of reissuing their certificates or have already completed the process. But hundreds of thousands of other sites may still be exposed."

The biggest problem from those "hundreds of thousands" of sites, according to the article, doesn't seem to be that you'll have your password stolen (keep in mind, again, that you've been at risk for the past two years -- and also these "lesser" sites don't have any of your critical data) but that updating hundreds of thousands of websites at once could slow the Internet to a literal craaaaaaaaaaawl during the process.  (The article explains why.)

Now, it's likely that all these smaller sites that require log-ins won't upgrade at the same time.  That's a problem, of course, but these are lesser sites where little or even no data of any kind is at risk, just your sign-in.  Maybe some of these sites also required your address and phone number -- but that's already available on any phonebook site.

By the way, here's a very good site to check out periodically -- it's a continually-updated list from CNET of the top 100 sites and whether they've fixed their security certificate yet.  You can find it here.  As for all the "lesser" sites, if you're concerned you can always just contact them directly and ask.  Not a bad thing to consider.

Probably the most important thing to do for the next while (a few weeks or months perhaps) is not to click on any links to a website that requires a log-in, since those can be spoofed, sending you to a fake site.  But if you manually type the URL address, you're guaranteed to go to the real site.  (To be clear, that real site still has to upgrade it's security certificate -- and hopefully it already has by now.)

And if you feel most comfortable changing your passwords on the most high-end, visible sites you visit which require passwords (Facebook, Twitter, Dropbox, Netflix, and so on), that would be a good thing.  As long as they've already implemented the security fix.  It may not be necessary, but it certainly would add a layer of security, and in the end might indeed protect you.

Again -- I don't know if any of this is good advice or smart.  It might be horrible advice.  (UPDATE:  as I said above, according to the guru Ed Bott the advice is pretty reasonable.  See below for his addendum.)  But...I think it's the most "realistic" advice.  After all, I think it's a fantasy land to think that everyone in the world is going to change all their passwords.  I think it's a fantasy to think most people -- or even more than 5% of people (and that might be high) will.  To be clear, this isn't head-in-the-sand-advice, trying to suggest there's no problem.  There is a very real, big problem.  But it's giving (I think...) the most real-world thoughts on what the problem appears to actually be, and how to most realistically deal with it in a way that people actually act.

Telling everyone in the world to check all their engine settings and cords and fluid levels and test tire tread and manually adjust what's needed to factory conditions every time before they start their car might be the best way to drive safely, but it's not going to happen.  Ever So, figure out the best way that people actually use their cars and address that.  (And no, that's not a comparable example of what's at risk, but the overriding issue holds.)

The Y2K Problem was a real problem, as well, and dire calamity was predicted.  There were some issues that resulted, but overall things were addressed, and worked out.  Heartbleed is a very different problem, but it appears to be that it's being addressed by those who know how to do such things and are in a position to.  As long as you are aware of the issue and take care when you browse and click on your websites that require passwords, and change the few passwords of your most-critical sites when appropriate, it seems like your risks should be limited.

But read other, smarter articles, too.  And start with this one here on the Washington Post.  (Not to worry, no sign-in is necessary.)

Updates as they occur.  Or if I'm told smarter things to say...

UPDATE:  Okay, here's the note I got back from Ed Bott, a really smart tech guy who has written a column for many years on the tech site, ZDNet, and has his own blog here.  He wrote back to me --

"I think it's prudent for any user to go through his or her list of websites, focusing first on those that are most crucial: banks and any site with credit card or sensitive personal information stored. Confirm that the site is not currently vulnerable to Heartbleed and then change your password. If the site was never vulnerable, changing the password is optional. Everyone should use a password manager.

"BTW several of those lists are wrong in listing Microsoft as having patched the vulnerability. Microsoft services were never vulnerable."