(CNN) – A major online security vulnerability dubbed “Heartbleed” could put your personal information at risk, including passwords, credit card information and e-mails.
Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they’re sending online is hidden from prying eyes.
Cybercriminals could exploit the bug to access visitors’ personal data as well as a site’s cryptographic keys, which can be used to impersonate that site and collect even more information.
It was discovered by a Google researcher and an independent Finnish security firm calledCodenomicon . The researchers have put up a dedicated site to answer common questionsabout the bug. They even gave it an adorably gruesome custom icon.
Heartbleed is the result of a small coding error but it could have far-reaching consequences and affect the majority of Internet users.
Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.
What makes the bug particularly problematic is that there is no simple fix. Action needs to be taken by both the compromised sites and individuals who have visited them.
To protect their user data and encryption keys, sites must upgrade to the patched version of OpenSSL, revoke compromised SSL certificates and get new ones issued.
Many major websites including Google, Facebook, Yahoo and Amazon have said they’ve taken steps to secure their sites. Security researchers demonstrated the flaw by stealing Yahoo e-mail logins on Tuesday morning, but Yahoo has since fixed the issue across its major sites, including Tumblr.
It’s not just an issue for major sites. Smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don’t typically publicize whether they’re using OpenSSL, so the process will also be bumpy for consumers.
Individuals should update their passwords across the various Web pages they use, but only once they have confirmed a site has already taken the proper measures to address Heartbleed. If they don’t and that site is still at risk, the new password could also be compromised. Many sites will also likely send e-mails instructing customers to update passwords if necessary.
Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.
As sites fix the bug on their end, it’s time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private — email, banking, shopping, and passwords.
Don’t change all your passwords yet, though. If a company hasn’t yet updated its site, you still can’t connect safely. A new password would be compromised too.
Many companies are not informing their customers of the danger — or asking them to update their log-in credentials. So, here’s a handy password list. It’ll be updated as companies respond to CNN’s questions.
Change these passwords now (they were patched)
- Google, YouTube and Gmail
- Yahoo, Yahoo Mail, Tumblr, Flickr
- OKCupid
- Wikipedia
Don’t worry about these (they don’t use the affected software, or ran a different version)
- Amazon
- AOL and Mapquest
- Bank of America
- Capital One bank
- Charles Schwab
- Chase bank
- Citibank
- E*Trade
- Fidelity
- HSBC bank
- Microsoft, Hotmail and Outlook
- PayPal
- PNC bank
- Scottrade
- TD Ameritrade
- U.S. Bank
- Vanguard
- Wells Fargo
Don’t change these passwords yet (still unclear, no response)
- American Express
- Apple, iCloud and iTunes
-CNN
No comments:
Post a Comment