Following news of a flaw in the OpenSSL software that encrypts secure interactions with more than 500,000 of the internet’s most popular websites, a number of online businesses have rushed to secure their systems.
As the scale of the problem emerged this week, users were initially urged to change all their internet passwords. That advice has been qualified to some degree since as it became clear that many companies were patching systems to remove the vulnerability.
For companies that have already acted to address the problem, current passwords should not require changing. While for those sites that have not yet acted – many of the smaller operations with whom users still share encrypted secure data – changing the password may have little effect if the vulnerability still exists in that system.
The advice from security firm Codenomicon - whose researchers were part of the team that discovered the bug - is that it is better to change passwords than not, although this alone may not protect users’ information. The latest advice from Codemonicon is available here.
Amazon quickly patched its system to correct the flaw while Mojang, which produces the hugely successful Minecraft game, took all of its systems offline for a period, as did the Canadian tax authority. Heartbleed also affected services from Yahoo, Google and Facebook, among many more.
It is feared that cybercriminals could exploit the vulnerability to collect secure data exchanged between users and “secure" websites including retailers, revenue authorities and payment companies.
Most major site operators were informed of the bug before it was announced publicly, meaning the bug will already be removed from many of the systems users interact with.
