In case you missed it, there’s been a massive flaw found in one of the most widely used technologies on the Web, called OpenSSL. The problem is that this encryption, which is supposed to protect our passwords and private details when we log in to website services like stores and banks, had a gaping hole in it, through which a villainous crew could have driven a 10 tonne truck and accompanying convoy in the right circumstances.
Here’s the techie explanation – warning, it’s not pretty reading. So what can you do? Here’s the four steps you can take right now to minimize the possibility of your data being compromised in the future. Do note that this doesn’t mean your details haven’t already been sniffed out, it’s purely to guard against it happening in the future with sites that haven’t yet patched.
1. Check if the sites you use regularly was vulnerable to this exploit. You can use THIS TEST SITE to check instantly. Facebook and Google users are safe, but if you’re a Yahoo!, Flickr, or LastPass user, then it’s possible (not likely, just possible) that your account could have been compromised at some point. Of these LastPass is an absolute disaster, since it is a meta password storing site, which could mean all your passwords across the web were made accessible.
2. Check if your favorite sites are still vulnerable using the same TEST SITE TOOL.
3. Set your web browser up to monitor web server certificates to ensure that vulnerable sites have actually implemented the security fix and are now safe. This means certificates should be dated post 8th April. Note that this only applies to HTTPS format websites, which typically applies to any banking and secure data site like stores, email services etc. Most of the modern browsers will already check, so be aware if you are using a browser that is not mainstream.
4. Change your passwords immediately, but ONLY once you are sure that the websites you use have fixed the hole on their servers and updated their certificates.
Don’t bother listening to anyone telling you that you really should set up strong passwords in the future, that’s a complete red herring. The strongest password in the world won’t protect you from this type of total security fiasco. The tech industry should be ashamed of itself. All of us have been let down by a basic failure of the so called tech intelligentsia en masse.
[Hat tip to the folk at Kaspersky Labs]