I've been soaking in as much as I can about 'Heartbleed' over the past couple of days, particularly since it (1) affects everybody and (2) I have servers that are affected by it.
So, here's my thoughts:
This is a huge
deal. We're talking about 74% of the internet uses OpenSSL for secure connections. And, website owners can only know if they're vulnerable by looking at what version of OpenSSL they're running - which is no guarantee that they've been attacked, only that they're vulnerable.
Now, different companies upgrade their software at different rates. A lot of that 74% are running code that precedes the two-year-old version of SSL that opened the bug. So literally, a lot of websites are safe because they're slackers. (actually for a major company upgrading anything
is a huge deal so they may not unless they have to).
So, some companies were affected, some we're running older versions of OpenSSL, and some were using proprietary (or alternate) versions of SSL to meet their business needs. So, that 74% isn't really 74%. It's something measurably lower.
And the hue and cry today is, you must
change all your passwords. But I think that's a misnomer. You can't assume (and this is the scary bit) that all the servers have been patched. In my own case, a patch isn't available yet, but that also only includes me as a potential victim, so there I'll probably wait. As far as changing passwords on other websites though...
This is what matters. If you use a common set of logins and passwords across multiple websites, you're a a pretty high risk - if someone is using the exploit and grabs your login/passwd from one site they may try and use that combination on a website that isn't affected. So your (not saying they are) account at Petsmart login can be captured and they can try that against your banking website. There's the real vulnerability. They don't care about your gerbil food, they want to follow the money.
So, those common logins/passwords ought to be changed - but do it on the banking end because that's what really matters. Also, because you don't necessarily know who's compromised and who isn't, changing to a new password scheme across the board will leave you equally compromised until they're all patched,. That said, it's not a bad idea to change passwords any place your CC info is stored too, just to make it more difficult.
As I said, this is a huge problem. It's going to take a while to sort out, and don't bank on whatever website telling you they've fixed the problem. The smaller fry probably don't want to mention it at all even if they're affected. Change the important stuff so it doesn't match the possibly tainted stuff, and maintain due diligence on your bank accounts - which you should be anyway given the rate of hacking these days.
At the same time, it's not worth total panic. Most serious websites weren't actually affected - most banks, etc have reported that they were not vulnerable, so as long as you used a different password there than a run-of-the-mill ecommerce site they probably can't hack into your bank. It's the human nature trait to use a small number of logins/passwords across the web that any would-be hacker is banking on. If those are strong, distinct passwords you're likely to not get hit so bad (my conjecture).
I'm linking the Mashable post here because they have a pretty comprehensive list of 'important (i.e. real money) websites you may use and how this exploit has affected them. It's worth checking against your own surfing.
And, if you found this useful, please share with your friends, because it really is important to know how it will affect them.http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/