Computer users have been left confused over conflicting advice about how to protect themselves from the Heartbleed security flaw.
A number of web and security companies have advised individuals to change their passwords as soon as possible before exploits are released that can take advantage of the security flaw.
Others, however, have warned that rushing to change passwords now could make the problem worse if the service they are using hasn’t patched their OpenSSL software.
The security flaw in OpenSSL was uncovered by Finnish security company Codenomicon and Google Security. It would enable any attacker to be able to crack the encryption that is supposed to protect web communications using the open source application. It is typically used to secure password access to systems.
Security expert Bruce Schneier rated the scale of the flaw as an “11” out of ten.
Yahoo-owned Tumblr has already advised users to change passwords straightaway, after issuing a warning to users on Tuesday. Other organisations have repeated that advice. Further complicating matters, the vulnerability is only found in a few recent releases of OpenSSL and it is not known whether it has been exploited first by hackers, or by organisations like the US National Security Agency or GCHQ.
But unless users can be sure that the service they are using has upgraded their software they could be exposing the new password, warns Mark Schloesser, a researcher at security software company Rapid7.
Indeed, Schloesser warned that it could increase risks because logging into a system that has not been updated, just to change the password, could expose both the old password and the new one to potential attackers.
Schloesser advised users to wait for 24-48 hours before changing passwords to give services the time to update their OpenSSL implementations.
Yahoo claims that it has already updated its OpenSSL implementations across affected sites, including Tumblr and Flickr, while Deutsche Bank, which uses OpenSSL on its main consumer-facing portal in Germany has updated its software, but not the its SSL certificate to reflect this.