I have seen so many people write about this that I was purposely not writing about it… I should know better – every time there’s a major issue in the field of computer security, if I don’t write about it I get a ton of emails asking me for my viewpoint on the issue or my viewpoint on what others write about the issue… It’s all good though. It’s my fault for being lazy and not writing about it in the first place. So here it is. I’m staying away from any technobable and keeping it simple.
The first thing you need to know is that HeartBleed is a vulnerability that, when exploited, can be used to steal information from websites. This is accomplished by accessing the memory of the computers where the websites’ data is stored (ALL websites are stored in computers, “servers”, although not all websites are vulnerable to this “bug” ). What does that mean to you? If you deal with a particular website that is vulnerable, let’s say your bank’s website, or your email’s website, and so forth, the information you provide to that website on a regular basis, such as your username and password and potentially more, could be compromised (stolen).
I read somebody writing about the fact that the vulnerability was discovered by “good guys” and therefore has not been exploited by hackers. I laugh at that statement. The people attributed to discovering the vulnerability might be good guys, but I bet anything the bad guys know about it too.
And because of where the vulnerability is being exploited, i.e. not in your computer, it doesn’t matter what kind of security measures you have in place in your computer(s), the vulnerability is still a threat because it’s been exploited “server side”, meaning at the computers where the websites are stored.
So what do you do? The first thing that comes to mind to most users will be, since we’re talking about a potential information leak of your data, to change your passwords for all the websites that you use (that require a username and password). And that’s not a bad idea but let’s not rush into that. The reason for not doing that as a first immediate step is that there is an ongoing global evolution to fix the cause of the vulnerability so you want to make sure a particular website has been fixed before you change your password for it, otherwise your information could be stolen again and you’d be in the same spot.
Therefore the thing to do is to check every particular website you plan to change your password for, and make sure it has been fixed before proceeding to change your password for it, and so forth. How do you do that?
There are many websites that have been provided where you can enter a particular website address and it will tell you whether or not the website is vulnerable, or has been patched or is not affected to begin with. https://lastpass.com/heartbleed/ is one that comes to mind that you can use. Also, here’s a list of the top 100 websites people normally use, and their status as to whether they have been fixed or not (scroll down when you click on this link to see the list): http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
It is always a good idea to change your passwords periodically anyways, so go ahead and change them once you know a particular website you deal with has been fixed. And, don’t forget. If you’re the typical user that only has 1, 2 or 3 passwords for everything, change your passwords for the websites that are labeled as “were never affected” if you have used the same password in a website that was vulnerable.
Hope this helps. Feel free to ask any questions on the subject.