About that secure website. It’s probably not

A major security flaw has been found in websites that is exposing usernames, passwords and maybe credit card numbers. The Heartbleed bug went undetected for more than two years and there’s no indication that hackers actually stole your personal information, but they know now.

So what are we supposed to do about it?

“You should change passwords immediately,” Business Insider says.

“Immediately changing passwords could feed a new password into a website that has not fixed the flaw,” the New York Times says, citing to Mark Seiden, an independent computer security consultant.

Alrighty, then.

Let’s take it one step at a time.

Does this affect you?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services. (Heartbleed.com)

What should you do?

Do you Yahoo? Do you use your Yahoo password on other sites? That password was possibly compromised by the security bug, and you’ll have to change it once the bug is fixed. But because each system administrator has to manually fix the problem, which takes time, there’s really nothing you can do until the compromised sites are up and running with an updated version of OpenSSL, and a new security certificate in place — a “reset” of the encryption used to protect current and archived information on the server going forward. Yahoo is working on a fix, but isn’t there yet with all of its properties. Each site affected will have to do the same. Until then, stay away from those sites. It could take days, or longer, for vulnerable sites to recover from the bug. (The Wire)

And if you really require privacy and security on the Internet?

Expect everybody who runs an https webserver to be scrambling today. If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle. (Tor Project)

How will you know when it’s time to change your passwords:

A test site that enables users to enter domains to check their vulnerability status has been up since Monday. (Threat Post)

You might want to start by checking your online banking site. Several local bank sites I checked today passed.