Oh! We have a problem! Let's make the users jump through useless hoops, that will increase their trust in the internet. Not!
The latest example is HeartBleed, even the normally sane BBC News Channel is joining in the the hysteria.
Don't get me wrong the HeartBleed vulnerability is really really bad!
However the hysterical cries to "Change ALL your passwords!" is worse.
As a reminder here is the current flow:-
Flaw Detected in OpenSSL (Versions 1.01-1.01f)
(NB Most sites are still using older OpenSSL code that is the sites are Not Vulnerable)
Some of the "in the know" sites update their sites, and keep their heads down.
Security Experts start crying "Update ALL your passwords!"
News Media picks up and echoes the cry.
The sites with the vulnerability patched keep their heads down.
The sites with the vulnerability unpatched keep their heads down.
Some sites update their Security Certs but not all...
Some Users Update ALL their Passwords wasting time and not getting any real increase in their security.
Most users just raise their eyebrows, and think "Not again!"
(NB Simply patching the OpenSSL code is not enough. The affected sites also need to update their security certificates. As an example O2 have patched and updated, it seems that EE have just patched and not yet updated their Security Certs. Though some Certificate Providers do not update their Certificate dates when re-issuing Certificates so, who knows!!)
Of my 257 internet accounts 249 of them were apparently not affected, either they were not on the affected versions, or they did not use SSL!
Of the 8 sites that Lastpass detected were affected, 5 of them had not yet updated their security certificates, and only 3 had updated their certificates. So in fact I apparently just had 3 passwords to update.
A far more Open and sane approach to the process would have gone like this-
Flaw Detected in Open SSL (1.01-1.01f)
Some of the "in the know" sites update their sites: Goto **
Security Experts get the message out "Site Admins Update OpenSSL (Versions 1.01-1.01f) and Certs
News Media keeps its head down. IT and Security Media repeats the message above
The sites without the vulnerability keep their heads down.
The sites with the vulnerability unpatched declare on their website that it is insecure but they are working on it.
The sites with the vulnerability patched and certs updated: Goto **
** Force re-authenticattion and password reset on ALL site users, admitting that the site had been vulnerable.
Funny how LastPass did not declare themselves as one of the affected sites, despite the fact they were, an example of the "in the know" keep our heads down approach to security and brand protection. Thank fully I use my Yubikey(s) to protect their site! I wonder how they have been compromised by Heartbleed?
Oh! how my HeartBleeds!