The Heartbleed logo.

Even if you're not particularly into technology, you probably wouldn't have escaped hearing about Heartbleed last month.

Without going into details here — the site written by researchers who disclosed the vulnerability has a detailed technical summary, and XKCD had a nice non-technical summary — it affected servers using OpenSSL and meant that it was possible for attackers to retrieve confidential information (for example, passwords) or even the private keys of servers.

It's old news now; a month's passed since. What was striking about the whole incident is that, despite the initial fuss in both the specialist press and more general news sources, the communication of the status of web services was conspicuous by its absence.

Out of the hundred or so sites that I have accounts on, just one of them emailed me to reassure me that they weren't exposed to Heartbleed. The only clear indication I saw while visiting a site was on Soundcloud, who advised users to change passwords.

From some of the lists of popular sites that were being maintained at the time, I know there was at least one site that I had an account on that were at some point exposed to Heartbleed. Yet, as far as I can tell, they didn't bother to inform their users that.

I'm not sure what their motivation was; an email or blog post/banner on site would have been really helpful. Maybe owners of sites wanted to avoid alarm, but I'd personally prefer a clear reassurance that everything is OK with them.

It's unrealistic to expect that some widespread security issue won't happen again. If something does happen though, I do hope that sites do a better job in clarifying their position.