News

Were Your Favorite Sites Affected By 'Heartbleed'?

by Isobel Markham

Earlier this week, we learnt that the Heartbleed bug, which attacks OpenSSL — the open-source encryption technology indicated by the little padlock in a web browser — could've left basically everything we've done online in the past two years vulnerable to hackers. It's now come to light that some of the Internet's biggest players, including Google and Yahoo, were affected by Heartbleed, along with roughly two-thirds of the Web. Oh, and some didn't even bother to mention it.

The Heartbleed bug is good news, however, for web users in Canada who are not on top of their tax filing. The Canada Revenue Service has temporarily shut down access to its online services, including the Efile and Netfile services and several other key sections of the CRA website. If you miss the Canadian 2014 tax filing deadline of April 30 because of the shutdown then you won't be penalized.

In a Google Services online security update Wednesday, the search-engine giant said it had been taking steps to ensure that all Google platforms are safe.

We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services.

Amazon Web Services also offered a service update, reassuring users that its products were either unaffected, or that it had been able to apply fixes and customers didn't need to take any action. That seems a little opaque to us — we would have preferred to actually know which services required patches.

Still, apparently its retail website, Amazon.com, was not affected.

It's not entirely clear whether Facebook was actually affected, but Zuck and co have admitted there's a chance it was. What's more, the social media giant said that it was already aware of the flaw in OpenSSL, and had added some extra protections before the media got hold of the issue and publicized it. Sooo, they knew about it and didn't mention it. Well that's neighborly.

Twitter has assured users that they have not been left vulnerable to the bug, whereas Tumblr had some rather creative advice in its service update that most bosses probably didn't appreciate:

Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.

This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.

Patrick Lux/Getty Images News/Getty Images

One company that seems to have been majorly stung by the Heartbleed bug is Yahoo. Unfortunately for them, Heartbleed researchers actually used Yahoo as an example of how the bug forces sites to give up valuable personal information. So, yeah... wide open.

Yahoo has announced that it has applied patches to its major services — its homepage, search site, email service, finance and sports sites, among others — and is continuing to work on the rest.

Patrick Lux/Getty Images News/Getty Images

There's still a lot of conflicting advice out there on whether users should change their passwords now or wait for the all-clear from each website they use. The best advice seems to be this: There's nothing wrong with changing your password now, just be advised you may have to change them all again next week.

The size and scope of this bug — which cannot be detected — means it's going to take a really long time before it's completely removed, if that's even a possibility. Some believe it's likely the bug has gotten into home systems well away from public view, like cable boxes and Internet routers, and it's very unlikely manufacturers will release patches for these products.