By now you have probably heard of the security vulnerability known as Heartbleed. The news broke last week that versions of website encryption software OpenSSL were susceptible to an attack where someone could listen to traffic being sent to and from a secure website.
Could a hacker retrieve every password, bank account, and social security number from a website? Not likely. This attack had to be occurring at the same time that you were entering sensitive information into a secure website running OpenSSL. The attacker would send the website data and lie about the number of characters this data should be. For instance, the attacker would say they were requesting DOGS (200 characters). The website would then return DOGS followed by the next 200 secure entries it had received. Could an attacker be running this type of query all day every day? Possibly but not likely. Brendan Spaar recommends you change your password on affected sites out of an abundance of caution and also because you probably have never changed your password, ever.
Is it safe to file my taxes with Heartbleed in the open? Yes. The IRS does not use OpenSSL.
Here are a list of sites that Brendan Spaar recommends changing your password on:
- Google, YouTube and Gmail
- Facebook, Instagram
- Yahoo, Yahoo Mail, Tumblr, Flickr