Bleeding Hearts and OK Cupids – the SSL Risk Explained
Mixed messages are flooding the internet about what users should be doing after a major security flaw, known as the Heartbleed Bug, was discovered by a Finnish security company in one of the most ubiquitous encryption systems currently in use on the internet.
The short story is, what you thought was secure actually isn’t so secure – and data passed to servers that are running the compromised version of OpenSSL could potentially be seen by anyone with the correct means and motivation (this works by looking at data that is currently sat in the server’s memory). To make matters worse, this has been the case for about two years now.
So, what should we, as users, do? The BBC has been repeating advice from us to rush out and change all our passwords as quickly as possible. On the other hand, the Guardian recommends a more controlled approach and reminds us that if the server hasn’t been patched yet, then your new password is just as vulnerable as the last one.
Personally, I agree with the latter – which means that I think we just need to accept for now that we’d be best to avoid vulnerable sites altogether for the time being (a list of popular sites affected is below). Now is a very good time to turn on two-step authentication on any sites that support it, like Google, just in case you use the same password for Gmail as you do for OKCupid or RedTube (whatever that is).
As web developers, we now have a job on our hands to make sure that any of our clients’ sites are patched as quickly as possible. Most (but not all!) hosting companies are hitting the ground running with this task, and pulling out all the stops to make sure that this will be fixed across the board as quickly as possible (see post from Melbourne Server Hosting, for example).
On the plus side, many major sites are not affected by this, such as Google, Facebook, Amazon, Youtube and Wikipedia. Make sure you check the list below and avoid any potential nasties for the time being!
The top 21 list of sites affected is as follows (note: some are adult or dating sites):
- redtube.com (adult site)
- beeg.com (adult site)
- okcupid.com (dating site)