Over the last couple of days system administrators the world over have scrambled to fix the gaping security hole in well over half the internet’s websites known as the Heartbleed bug, a disaster that security expert Bruce Schneider has described as ‘catastrophic… On the scale of 1 to 10, this is an 11’.
If websites or services (including VPN) have been compromised by the bug (and there is no way to detect this), then users’ passwords will now be compromised too (along with any usernames and cryptographic keys etc.), so changing your passwords, as recommended by the likes of Yahoo and the BBC, might seem like a very good idea.
Security experts however, recommend delaying such action, as changing your password before a server has fixed the problem could reveal your new password to an attacker.
It is therefore a good to wait until the problem is good and fixed before changing your passwords,
‘The estimate is that the larger providers all get patched within the next 24-48 hours [Thursday to Friday afternoon] and I would agree that people should change their credentials when a provider has updated their OpenSSL version,’ security researcher for Rapid7, Mark Schloesser told the Guardian.
It is possible to check whether a website is vulnerable to the Heartbleed bug using this tool, but even then, sites which have updated their OpenSSL but not their certificates may superficially appear secure, but could in fact remain vulnerable. Security researcher Terry Ford (also from Rapid7) explained,
‘Risk to users exist until organizations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs. Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website.’
If you have received notification that a website, VPN provider, or other secure internet service has updated its OpenSSL libraries and its certificates, then go ahead and change your password. If not, then wait until tomorrow afternoon or so, and the change your passwords for everything! It is also worth asking services whether they have been affected by the bug, and what they are doing / have done about it.