The discovery of the Heartbleed security bug sent the web into a panic with it’s devastating OpenSSL vulnerability.
On a scale of 1 to 10 of Internet catastrophes this one goes all the way to 11, according to respected security analyst Bruce Schneier, who isn’t prone to manic exaggeration.
As explained by the creators of 1Password – which isn’t affected by Heartbleed – many servers haven’t patched up their vulnerability, and probably won’t for a few days, which means that new password you’re creating can still be stolen and used in the future.
“You will, at some point, need to change a lot of passwords. But don’t rush to do that just yet. Not every server is affected, and those that are need to fix things at their end before you change your password. If you change your password before the servers fix things, then your new password will also be vulnerable to capture.
All that most of us can do is wait at this point. Presumably, various service providers will announce over the next few days when and whether users should change passwords or be aware that other confidential information may have been exposed.”
So what’s taking the providers so long to fix things up?
First they have to find out if they’re vulnerable which requires them to see if their particular SSL/TLS service was on OPENSSL 1.0.1 – 1.0.1f. After they’ve upgraded to the fixed version of OpenSSL (1.0.1g) they’ll have to revoke old certificates and sort things out with certificate authorities to obtain a new one.
Certificate Authorities are going to be very, very busy the next few days.