There are many reasons to be concerned about "Heartbleed," the catastrophic vulnerability in the Internet's most popular security technology that was disclosed on Tuesday. For one thing, it's not even clear what we, as individuals, should be doing about it. At the Atlantic, James Fallows is strongly urging that we change our passwords to our most crucial online services right now. But other experts are advising that we should wait a day or two, until potentially compromised sites have upgraded their software. Otherwise, we'll just be handing a new password over to an already-busted security system.
That's nerve-wracking, but not quite as anxiety inducing as the speculation floated by Bruce Schneier, a longtime security analyst with impeccable credentials.
At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
By "odds are close to one" Schneier means that the likelihood that the Heartbleed bug has already been exploited by everyone from the NSA to to the People's Liberation Army is close to 100 percent. But even more distressing is the notion that this might not have been an accident.
A year ago, most of us would likely have scoffed at such paranoia. But in the post-Snowden world, one in which we have proof that the NSA was covertly breaking into the communications infrastructure of companies like Google and Facebook, nothing seems impossible. Given what we know now, in fact, it seems almost inevitable that something like this would happen.
Presumably, a fair amount of investigation attention is about to be devoted to the question of how this particular bug ended up in the code for OpenSSL. It will be instructive to track that story. In the meantime, yeah, probably a pretty good idea to change your passwords. Perhaps more than once, this week.