Or two-thirds of everyone, at least.
I basically endorse this article on the practical upshot of Heartbleed. Read it and get the overview. A couple of particular points to my regular readers:
- GMail and other Google services seem unaffected by Heartbleed.
- Facebook was affected by it, but resolved the issue before it went public.
- It is not known now, and probably never will be known whether there were any attackers exploiting Heartbleed before it goes public.
- About 2/3rds of all sites on the web were affected by Heartbleed.
- Affected sites are theoretically vulnerable not just for all present traffic, but all past traffic as well. In practice, it’s unlikely that people were logging past traffic on the off chance that they’d get the SSL keys later, so past traffic is much safer.
- Except the NSA and potentially other security organizations, foreign and domestic, who might have logged gigantic amounts of traffic.
- And remember, we don’t know whether anyone was using this bug to attack before it went public
- But most importantly:
- Pretty much everything on an affected server after the attack went public (about 2.5 days ago) is very, very, very vulnerable.
Point 9 is really important. If I were a black-hat, as soon as I found out about Heartbleed, I’d have written a script to exploit it and told that script to go fucking wild and harvest as much data as it possibly could across the entire internet, to the largest amount that my bandwidth could handle. This was a very easy bug to exploit. As soon as it was public, it probably took an hour or two at most before weaponized versions of it existed. I really can’t overemphasize how un-private information on the internet has been for the last two days.
If you’ve sent a password or a CC number in the last two days, unless you know that the site you sent it to was not vulnerable when you sent it, you should assume your data is compromised.
This is probably the single most horrible security bug that has hit in the history of the internet.