A security bug potentially affecting two-thirds of the Internet has just been reported. This one is serious – it will be headline news tomorrow.
You can find out which websites are vulnerable by entering their addresses at Heartbleed Test. Chrome users can install Chromebleed to be notified immediately when they visit a vulnerable website.
Update 5, Chromebleed review: I’ve stopped believing Chromebleed. It complains (using qualified language) about sites that everyone else says are fine, like Gmail or WordPress.com.
c|net sensibly recommends that you: (1) change your password once a vulnerable website is fixed, (2) do the same for other websites where you use the same password, and (3) keep an eye on your financial statements for the next little while.
Update 1: Chromebleed nearly gave me a heart attack until I realised that the notification appears when you first open a vulnerable website, but doesn’t go away as you switch between tabs. I’m trying to find out if there is a fix. For now, just keep an eye on the lower right-hand corner whenever you click a link.
Update 4: Stay away from FetLife for a few days. According to Chromebleed, they still haven’t fixed the bug as of 9am, April 9. No surprise, but not impressive.
Update 2: Chromebleed now says Gmail is safe.Chromebleed says Gmail is vulnerable. Everyone else says it’s safe, even the Heartbleed Test. I guess I’ll just be cautious and go offline for the night!
It is dangerous to log in at any vulnerable websites. Don’t even do it to change your password. Wait until you get a notification that they are safe. Browsing the Internet is okay, with the caveat that most of us get our web browsers to remember passwords for some websites, and that counts as logging in. I’m basing this on advice from Lifehacker and its sister site Gizmodo.
You will be relieved to hear that Google, Facebook, Amazon, Microsoft, Twitter and WordPress.com were apparently unaffected. But it is possible that they were vulnerable to attacks in the past, and we’ll only find out when the official announcements come out. Unfortunately the vulnerable websites did include FetLife(?), Yahoo, Tumblr, Flickr and OKCupid (among others). Twitter and WordPress.com currently pass the test, but I don’t know if they were fine all along.
Update 3: You can refer to this list of early Heartbleed test results for 1000 websites. “No SSL” counts as not vulnerable (because this was a bug in SSL). Many of those websites have now fixed themselves and notified their users. Thank you to a reader for reminding me about this link.
I expect most major websites to be fixed in another 24 hours or so, i.e. by 10-11 April (depending on your time zone).
You may be curious about the ethical debate on early announcement or the news report on just how bad it is. Connections that should have been secure leaked even more information than totally unsecured connections. And pretty much everyone is affected.
I actually thought it was a joke at first. The bug is named Heartbleed, so what was I supposed to think when I saw this tweet from Submissive Guide?
Submissive Guide ?@subguide
Urgent security update – staff: Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed… https://tmblr.co/Z7upXo1CUo7SF
“What a delightful way of giving relationship advice!” was what I thought. I’m awfully glad I clicked just to be on the safe side.
Please comment to share any information that you think may be helpful.