Expert Voices

Don't Panic About Heartbleed but Have a Spring Clean Anyway (Op-Ed)

Password changes
Take a duster to your password collection. It’s as good a time as any. (Image credit: Karen Blakeman, CC BY-NC.)

This article was originally published at The Conversation. The publication contributed the article to Live Science's Expert Voices: Op-Ed & Insights.

The web is full of scare stories about the Heartbleed security vulnerability but panicking won’t help. Better to use this situation as an opportunity to clean up our acts. Few of us do it but we should all be in the habit of changing our passwords regularly.

Heartbleed is a bug in particular versions of a piece of software called OpenSSL that, theoretically, enables anyone with internet access to an apparently secure server to steal chunks of data, even if they were previously thought to be secure.

It has attracted attention more because of the scale of the problem than anything else. Initial figures suggest 500,000 websites could potentially be vulnerable, many of which are household names. SSL (and its younger sister TLS) are the definitions by which two computers conduct the secret handshake that says how they will communicate securely. There are many versions of SSL but OpenSSL is the most common.

Its popularity is, in part, due to the fact that it is an open source initiative which means that it is updated by a group of like-minded experts who are willing to make the underlying code (the source code) open for scrutiny. Many in the security world think this an excellent idea as it means we can spot security flaws. That said, it doesn’t necessarily mean we can do anything about them. And, if the vulnerability is hidden within an extremely complex set of source code, and it can be overlooked.

The good news about Heartbleed is that once the problem was found, it was quickly made public via channels that are specifically set up to alert the security community, such as the recently launched UK CERT. The bad news is that it appears it may have been in versions of the software going back up to two years.

The fact that it went unnoticed may not be a problem. The problem is we don’t know if cyber-criminals were aware of the vulnerability before the good guys and whether they were exploiting it. It will take some time to determine if any damage has actually been done, and it may be that we will never know. All we know for certain is that the vulnerability exists and that it is possible to exploit it to grab sensitive information such as passwords. But there is already a fix for the problem which any reputable website operator should be applying if they haven’t done so already.

So, why the advice from many, including me, to change your passwords? It’s not that people are suggesting there is cause for panic. This is a serious security flaw but it may have been caught in time. But in the absence of evidence, it would seem that prudent caution is a sensible approach. Since changing passwords is a simple thing to do and it’s good to regularly change them anyway, you might as well take this as a timely reminder to have a spring clean.

Of course, if someone is exploiting this vulnerability on a site you use then it makes no sense to update your password until the site has been upgraded to using a version of OpenSSL that is no longer vulnerable. This is a tricky conundrum as the majority of users will not really know how to find out if the sites they deal with were affected let alone if they have applied all the necessary upgrades.

The best you can really do is give them a reasonable amount of time to bring in a fix for Heartbleed and then update your passwords. And of course, if you don’t know if the site was affected at all then it seems prudent to assume it was and change your password anyway.

It is for that reason that the blanket advice has been to revisit all of your passwords. If you have the technical savvy to be able to pick your way through the sites and determine which you really need to change then I applaud you but I suspect you probably haven’t and, in the world of online security, it is always better to be safe than sorry.

With any event like this, sites immediately spring up saying they can test if a website you use is vulnerable. I would exercise caution with such online checkers as there is some evidence that their results are not always accurate. Plus of course there are scammers who just love to put up sites that claim to be helping in such a situation but then ask you to supply the very sensitive information that you may be worried has been compromised.

Online security is an area where panic and knee-jerk reactions can sometimes do more harm than good but it is also true that if there is any doubt about sensitive information having been compromised, even if it is a case of not knowing, it is sensible to assume that it is worth changing your password.

The Conversation operated on a system that used OpenSSL but fixed the vulnerability at midnight on Tuesday 8 April. As a precaution, we’d recommend users change their passwords.

Alan Woodward does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article. Follow all of the Expert Voices issues and debates — and become part of the discussion — on Facebook, Twitter and Google +. The views expressed are those of the author and do not necessarily reflect the views of the publisher. This version of the article was originally published on Live Science.

University of Surrey