Zero-Day SSL Flaw: Change All Passwords, Experts Say

John Lister's picture

A massive number of websites could be affected by a critical security flaw used in conjunction with web sites and web browsers. Experts suggest that all web users change their passwords to all major web sites (including banking, social media, etc) - but doing so comes with a number of caveats.

The security flaw is related to SSL (secure sockets layer) and is expected to affect approximately six percent of all websites world-wide. According to a recent survey that reviewed approximately 959 million websites, "66% ... are powered by technology built around SSL, and that doesn't include email services, chat services, and a wide variety of apps available on every platform." (Source: businessinsider.com)

In many cases, SSL is used to encrypt data between a web browser and web server. If anyone intercepts the encrypted data during its journey over the Internet, they'll be unable to make sense of it unless they can crack the encryption, which is extremely difficult, if not verging on impossible.

Websites need to use software to create and control the SSL encryption. The flaw in particular affects software called OpenSSL, which is one of the most commonly used of its type.

Bogus "Heartbeat" Exposes SSL Data Secrets

The problem involves a feature known as a heartbeat. This is where a user's computer sends a small piece of data to check the secure connection is still active. It's the same effect as asking "Are you still there?" during a phone conversation. (Source: businessinsider.com)

Security researchers have discovered that for the past two years there has been a flaw in OpenSSL that allows a hacker to send a bogus "heartbeat" message to a website. This then forces the server hosting the website to send back some of the data in its memory.

Exactly what's in this data will vary from case to case, but it could include user names, passwords and even credit card numbers used by recent visitors to the website. In a worst case scenario, it could even include the encryption key for the website, allowing the hacker to descramble any information that goes to and from the site.

One test suggests that around five to six percent of the most popular websites are affected by the flaw which, based on the "heartbeat" messaging, has been dubbed "heartbleed." It's not yet know if, or how often, and hackers have exploited the flaw.

Experts Advise Changing Key Passwords, with Caveats

It's an unusual security issue as there's nothing web users can do to their own computer or software to deal with the flaw. Instead, it's up to website operators to apply an update to the OpenSSL software to fix the flaw.

In the meantime, computer experts are divided about the best way for web users to respond. Some have suggested users should immediately change all the passwords they use on sites that involve data they would want to keep confidential, such as financial or social networking sites.

Others have suggested that users should hold off visiting a site to change the password until they hear the site has applied any necessary fix. That said, not all websites will make such a report; as such, changing all your passwords even a week from now could be a craps shoot.

At the time of writing, Facebook, Google and Twitter are all reported to be safe, while Yahoo is working to fix the issue. (Source: washingtonpost.com)

What's Your Opinion?

Are you concerned by the security implications presented in this article? If so, do you plan on changing all your passwords online the Internet? Have you heard or seen any information from websites you commonly visit telling you about the problem and whether it has been fixed?

Rate this article: 
Average: 4.1 (18 votes)

Comments

richardls's picture

Yea, changing passwords, like every day, when will the patch be installed to fix the problem, the general public won't know when or if the fix has been installed. Change passwords, yea right!!

DavidFB's picture

This sounds like one of those issues that's been distorted by the popular press, leading to lame advice.

Server bugs are commonly found and patched. Servers get updates just like desktops, except server admins typically research and test the patches more. My Wordpress host updated the server to address this issue on Monday. Sites were uneditable for a 10 min window but behaved normally otherwise.

You are very unlikely to be notified of the update by many services you may use. If you change your password before the update, that may INCREASE the likelihood of the password being discovered as thats what you're adding to the cache. If you change your password after the update, it may or may not make a difference as its now secure again.

Strong passwords that are unique to each site are the best way to limit damage from an exposure. Using a tool like Lastpass (basic is free) can help you manage all the various difficult-to-remember passwords. It fills in logins for you too.

DavidFB's picture

As a followup, it has become clear that changing passwords is a good idea, especially on the big sites and especially on social media sites you may have used to log into other sites. But only AFTER they've updated.

You can check here:
https://www.ssllabs.com/ssltest/

The issue is that sites may have been hacked without knowing it. If they didn't update Monday, your user data may have been exposed. Mumsnet knows they were hacked only because the hackers told them and used the founders ID to comment online.

The Canadian Tax department knows they were hacked because of the far greater security they had. And that was Monday. They're expecting about 900 accounts got compromised.

If you think you don't have much that anyone would care about, what happens when they hack your account and spam all your contacts in your name? Or use your name to break into places? Or steal your identity?

It's good time to update your passwords and use stronger ones that are more unique. If you've thought about it, a password manager like LastPass would be good to implement. Then you don't have to remember a bunch of difficult passwords. As a bonus, LastPass flags the accounts you need to update most and when.

Dennis Faas's picture

Canada Revenue Agency (CRA), which is the Canadian equivalent of the United States Internal Revenue Agency (IRS) confirmed it was hacked due to the Heartbleed Bug. CRA claims that 900 social insurance numbers were compromised - though with a website that large and with that many customers AND the fact that this bug has been in the wild for over two years, I can't help but imagine the numbers to be considerably much more inflated than what is reported.

http://www.theglobeandmail.com/technology/sin-numbers-stolen-from-tax-agency-website-using-heartbleed-bug/article17956353/