image by: heardbleed.com
Recently a massive vulnerability is found in the (open-source) OpenSSL library. Websites starting with https:// were vulnerable due to this bug named as heartbleed (website dedicated to heartbleed FAQs).
OpenSSL is used to keep information and web secure but vulnerability in it allowed attacker to reveal 64kB of memory and this memory handling bug was there for at least 2 years. OpenSSL vulnerabilities
This bug is now fixed by OpenSSL and an updated & fixed version is available.
Why it is a serious bug?
This bug allowed attackers to read 64kB of memory of server and by reading memory of servers, attackers could access private keys used to encrypt traffic and other users' data i.e. usernames and passwords etc. By using those keys attacker could steal and decrypt data from servers and could impersonate other users or services to get access to more information.
How I am affected?
Lots of popular websites, including Yahoo, were vulnerable due to this bug. If OpenSSL of servers of vulnerable websites is not updated to fixed version then you should not use those because they are still vulnerable (you can contact website's support to make sure you are secure).
You might want to have a look on a list containing some sites which were vulnerable Not available.
According to this list Facebook and Google are safe to use as they were not vulnerable, but still you should take this vulnerability seriously because it was making your information insecure for almost 2 years and no one can say which website was attacked due to this vulnerability because attacks didn't left any trace to track it. If you use Yahoo services then your passwords might be at risk (because it was vulnerable).
What I can do to make myself secure?
You can't do anything as long as vulnerable versions of OpenSSL are being used by website's servers. The only thing you can do is to stop visiting sites having vulnerability.
First thing you should do is to change passwords of your accounts when vulnerable websites remove vulnerability. If you use same password on different websites then even if one of the two websites is not vulnerable, you should change passwords on both of them (this explains why you should not use same passwords for different services).
If you use same password on Facebook and Yahoo then you should change Facebook password immediately and Yahoo's when vulnerability is completely fixed. It will not make a huge difference if you change password on a site which is still vulnerable. Tumblr by Yahoo shared a post on their blog asking users to change their passwords immediately everywhere.
I hope every company has updated their OpenSSL to fixed version, so you can change passwords now.
