Heartbleed aftermath

I almost feel bad for blogging about this, but god knows everyone else will be so perhaps it's worth a punt.

So in the last few days the OpenSSL Heartbleed bug has come into the public eye, and my goodness has it caused a veritable shitstorm. I'm not going to discuss what the bug is as it's been done to death, but more on the reactions to it.

I've seen plenty of people claiming that the sky is falling, and that two factor passwords don't help, and that essentially everything you ever thought secure is now gone - cast to the wind as if your entire back history is now pinned up on a wall for the world to read.

This just isn't the case.

Yes, this bug is bad. Yes, if you run a website you should probably get a new certificate made. I would say that's a reasonable response as a site owner. What has totally baffled me is the public reaction to the bug. There's people claiming that you should change all your passwords, everywhere, on the assumption that all site certs have been compromised, and all passwords stolen...

Really ? Let's consider the impact of that for a second. What's being proposed here is that a large proportion of the worlds traffic and credentials have been compromised for up to two years, and no-one noticed ? Not one person has claimed before this bug was announced that their SSL was broken and credentials then used. No credit cards taken off the wire, and nothing similar, either.

"You must assume they have your credentials and are sitting on them, waiting to strike!". No, no you don't. You need to take a pragmatic approach to security, and ensure you use the appropriate level of security for the site in question. If you have no two factor password, and you use the same password everywhere then sure (maybe). I don't believe that a person using unique passwords and two factor needs to worry nearly as much as the doom sayers would make you believe.

No least, this bug has now been in the public eye for 24-48 hours, and it promises the keys to the kingdom and almost unlimited power... and no-one has claimed that their credentials have been stolen since then, either.

This has all the hallmarks of F.U.D. to me. Update your passwords on the 2-3 sites you're irrationally paranoid with (banking etc). Ensure you use two factor for any site that allows it, and don't use the same password in more than one place. If you're a site owner, grab patch your OpenSSL and grab a new cert.

Sounds kinda like the old advice for staying safe, no ?