Google updates its services to stop the bleeding

Google has announced that it has updated the OpenSSL library on its servers (and we presume revoked the certificate keys) for Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. The search giant says that Google Chrome and Chrome OS are not affected.

Heartbleed is particularly severe because the bug has been in the OpenSSL library for two years and if a government agency did discover the bug (and didn’t tell anyone) then all past and future traffic to an exploited website is open for decryption. The reason is that the actual private keys which are associated with a site’s SSL certificate can be read. Once the keys have been read then all traffic to and from the site can be decrypted even traffic that was captured previously and stored away in a deep government archive.

Tumblr has suggested that today might be a good day to “call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking.” The problem with Tumblr’s advice is that until the major services actually give the all clear, like Google has, then changing your password won’t be of any value as your new password can be just as quickly compromised. Only once a service has updated to the latest version of OpenSSL and revoked its certificates can users safely change their passwords!

Google also reported that Android isn’t affected by the bug with the exception of Android 4.1.1. The bug is called Heartbleed as the error is related to the TLS heartbeat extension. Android 4.1.2 disabled the use of the heartbeat functionality for better wpa_supplicant interoperability.

The ironic thing is that Neel Mehta of Google was actually credited with finding the bug, so you would have thought that Google had a head start on fixing the issue and its services should have already been secure before the news hit the net. Maybe Google has become too much of a corporate for that to have happened!