Heartbleed – or slight headache?

The dust has now settled on the Heartbleed bug fallout – after much updating of our web servers and renewing each and every SSL certificate we host, we are secure once more. The bug itself was massive: Mashable called it “one of the biggest security threats the Internet has ever seen“.

Thankfully we host a relatively small number of sites that use SSL, so the process of updating them was relatively quick and easy. We completed our updates the day the news of the insecurity broke, and found no evidence of any breaches.

You have to spare a thought for major hosting companies. I can say from personal experience it was definitely a headache I could have done without. Companies that host many sites with SSL certificates might even now be renewing them and patching servers in the background, quietly hoping that none of their sites have been affected.

So what can we learn from this bug? I’ve always found the process of renewing and applying for SSL certificates laborious. Having to do this when they haven’t expired was a pain we could well have done without! At least the vulnerability was discovered, and now the patches are in place we have returned to a level of perceived security – but was it too late? Well that is difficult to say, but I would certainly advise people if in doubt to contact their website providers, ensure that they have applied the patches to their web servers, and then change the passwords on their accounts.

It’s good practice to regularly change your passwords anyway, so why not use this as opportunity for a wholesale password audit? If you are unsure which accounts need to be changed, my advice would be – if in doubt, change it! Just yesterday I was contacted by EBay and told to change my account password. But you can refer to Mashable’s list of The Passwords You Need to Change Right Now.

Dan