Today, a serious and pervasive threat to security on the Internet was revealed: the so-called Heartbleed Bug. In my opinion, everyone who regularly uses a password on a “secure” Internet connection should have at least a rudimentary grasp of the problem. A web site has been set up to describe it in detail: Heartbleed.com.
The short version of the problem is that an encryption vulnerability was found. Under certain circumstances, a third party can decrypt your session with a secured web site or impersonate a secured web site. First the attacker must obtain the encryption keys from a secure site and this is what the bug allows him to do. Once the attacker has the keys, if he can get access to what is flowing back and forth between you and the site, he can read it. That includes passwords, credit card information, all of it.
News reports have given the impression that with stolen keys, an attacker can walk right into a server and get whatever they want. This is wrong. If a server administrator logged in remotely while his session was being read, the attacker could then log in with the same credentials. This is quite different and not at all likely. Most servers have constraints on where administrators can be when they log in. It would set off alarms.
The likelihood that information has already been stolen from you is low. Normally we don’t see security bugs exploited until they are well known. This problem was first discovered last week and was announced publicly today. The delay was to allow time to get fixes in place. Our servers have been updated and certificates replaced. We are no longer vulnerable to this threat.
What is IMPORTANT is that any secure sites you interact with have been updated. If they do not post a notice, you should ask before logging in. I just attempted to find out if my bank was aware of the problem. I was unable to get an answer. Hopefully the people who manage the web site have taken care of it, but the only safe assumption is that they have not. I’m not going to use web banking until I can get an answer and you shouldn’t either.