The Heartbleed security bug has everyone in a panic, and rightly so. Because of this vulnerability, user information--including passwords, credit card details, and other sensitive information--could be remotely accessible by hackers--and the bug has been undetected for at least the last two years. (We're already seeing some servers hit by the bug.) Before you go changing all your passwords or just taking the advice of a Heartbleed checker, here's what you need to know: Don't trust any of them as your main source of information.
According to most security experts (such as Bruce Schneier, Troy Hunt and the folks at AgileBits), before you need to change your passwords (which is traumatizing if you have several hundreds to deal with), you should make sure three things are already in place:
- The site (or hardware/app, because Heartbleed could affect more than just web sites) was actually vulnerable to Heartbleed, running the version of OpenSSL that this bug affects (version 1.0.1, released March 2012, through 1.0.1f. 1.0.1g, containing the fix, was released April 7, 2014).
- The site patched the OpenSSL bug.
- The site renewed the security keys and then issued a new security (SSL) certificate
The problem is that security checkers seem to all be flawed in some way when it comes to the above.
This list on Mashable, for example, widely distributed (by me too on Lifehacker) only mentions if the servers have been patched and what the companies in question say you should do--no mention of the SSL certificates renewal.
LastPass users' built-in Security Check tells you when the certificates were updated and compares it to your password change history, but depending on when you started using LastPass, the results are not always complete. LastPass.com/heartbleed is one of the best tools I've seen so far, but sometimes the results for SSL certificate just says it's "Safe" without any further explanation (unlike other results which include the certificate issue date). It also doesn't cover every single site that could've been affected, but does cover the majority of sites out there. Also, it's a pain to type in each site individually.
Chrome extension Chromebleed, based on Filippo Valsorda's Heartbleed test, can tell you if a site you visit is affected by Heartbleed, but both tools can give you a false negative. That is in the sense they'll tell you a site like Etsy.com, which was affected by Heartbleed but has since been patched, is safe. There was a time, though, when it was not--and during that time your credentials could've been leaked, so if you don't change your passwords ASAP, you're still vulnerable. But you wouldn't know that by running these tools now.
So what can you do? Essentially, check multiple tools.
- To find out if a site was vulnerable first see the Heartbleed Hit List on Mashable or type out the site in question in LastPass. Also Google "[site] heartbleed" to find information directly from the source. I started with my most important accounts (email, finance, anything I entered a credit card into).
- You'll see if they patched the SSL bug from the step above. If they haven't, wait until they do before you change your passwords. (Most sites already have done this.)
- To find out if they've reissued their SSL certificates, check the issue date in the tools above. For example, the LastPass Heartbleed checker usually shows when the certificate was issued. If there's no date, look it up in digicert.
Unfortunately, certificate issue dates can be misleading. A site could rekey their certificates and change everything except the issue date. For example, we're looking for SSL certificates updated after the Heartbleed bug was announced, April 7. So certificate dates on or after the 7th are definitely safer, but older certificates could still be safe too. In that case, look to the site's advice on what to do. Unfortunately, not all sites have been proactive in reaching out to their users about this vulnerability.
This is alot, I know. It's easier to just take the recommendations from one site or list--or change every password at once--than to figure it out, site by site.
I started looking at Mashable's list, cross-referencing it with LastPass data and digicert certificate information, to create this more detailed version of both in Google Drive. I haven't updated it since Saturday, but it's what I know so far from doing the extra research on these most popular websites. The spreadsheet is shared publicly, so if you want to add details for another site, please do. I'm using it as an action list for which passwords to change first, and hopefully it will help you too. Here's the link again, please add to it if you can.