Heartbleed security bug: what can you do?

Heartbleed: You should only change your password to websites that are no longer vulnerable.

In the wake of widespread media coverage of the internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here's a short primer.

Avoid responding to emailed invitations to reset your password - visit the site manually. 

The Heartbleed bug concerns a security vulnerability in a component of recent versions of OpenSSL, a technology that a huge chunk of the internet's websites rely upon to secure the traffic, passwords and other sensitive information transmitted to and from users and visitors.
Around the same time that this severe flaw became public knowledge, a tool was released online that allowed anyone on the internet to force website servers that were running vulnerable versions of OpenSSL to dump the most recent chunk of data processed by those servers.

Advertisement

That chunk of data might include usernames and passwords, reusable browser cookies, or even the site administrator's credentials. While the exploit only allows for small chunks of data to be dumped each time it is run, there is nothing to prevent attackers from replaying the attack over and over, all the while recording fresh data flowing through vulnerable servers. Indeed, I have seen firsthand data showing that some attackers have done just that; for example, compiling huge lists of credentials stolen from users logging in at various sites that remained vulnerable to this bug.
For this reason, I believe it is a good idea for internet users to consider changing passwords at least at sites they visited since this bug became public (Monday morning). But it's important that readers first make an effort to determine that the site in question is not vulnerable to this bug before changing their passwords. Here are some resources that can tell you if a site is vulnerable:
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
http://heartbleed.criticalwatch.com/
https://lastpass.com/heartbleed/
As I told The New York Times, it is likely that many online companies will be prompting or forcing users to change their passwords in the days and weeks ahead, but then again they may not (For example, I'm not aware of messaging from Yahoo to its customer base about their extended exposure to this throughout most of the day on Monday). But if you're concerned about your exposure to this bug, checking the site and then changing your password is something you can do now (keeping in mind that you may be asked to change it again soon).
It is entirely possible that we may see a second wave of attacks against this bug, as it appears also to be present in a great deal of internet hardware and third-party security products, such as specific commercial firewall and virtual private network (VPN) tools. The vast majority of non-web server stuff affected by this bug will be business-oriented devices, and not consumer-grade products such as routers. The SANS Internet Storm Centre is maintaining a list of commercial software and hardware devices that either have patches available for this bug or that will need them.
For those in search of more technical analyses of the Heartbleed bug, see this video and this blog post