Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.
(Poynter.org “doesn’t appear to be vulnerable,” Krebs says in an email. Phew!)
But companies — including publishers — should upgrade OpenSSL immediately, and the rest of us Internet users (including perhaps journalists who use Web-based email) should “change their passwords this week,” Krebs writes.
Emphasis on “this week”: “Immediately changing passwords could feed a new password into a website that has not fixed the flaw,” Steve Lohr writes in The New York Times.
Users will largely need to depend on individual sites to notify them about whether the flaw has been addressed. Many major web services, like Yahoo, have already released such notices.
“Even if you’ve never heard of OpenSSL, it’s probably a part of your life in one way or another,” Greg Kumparak writes in TechCrunch.
The apps you use, the sites you visit; if they encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL.
“It’s unclear if attackers have been exploiting the flaw over the last two years, which was just publicly revealed on Monday,” Jeremy Kirk writes in PCWorld. “But attacks using the flaw ‘leaves no traces of anything abnormal happening to the logs,’ the researchers wrote.”