FA+
Shop
Heartbleed PSA (UPDATED)
11 years ago
EDIT: Here's what I was waiting for!
http://www.tomsguide.com/us/heartbl.....ews-18597.html
/EDIT
Unfortunately it seems there’s some misinformation floating around about the Heartbleed vulnerability you might have heard about. Some sites and news reports are suggesting you change all your passwords. While changing passwords often is a good idea, it might actually be a bad idea to do so right now.
The vulnerability still affects some sites, and changing your passwords can actually expose your old and new passwords, which are in more peril now that the word is out about this thing. There is really nothing you can do about it until the sites you log in to have updated their security.
Fortunately not every site is affected. I’ve been told that the “OMG 66% of the internet!!!” is a bit exaggerated. Many sites had a different version of SSL or were not using SSL at all. What sites? It took some digging, but I did find this list:
https://github.com/musalbas/heartbl.....r/top10000.txt
This may be outdated though. If you’d like to test whether or not a service you use is vulnerable, you can try this handy tool:
http://filippo.io/Heartbleed/
And finally, here’s an article that seems to be one of the more levelheaded ones out there:
http://www.forbes.com/sites/jamesly.....-to-stay-safe/
One thing they mention is the idea that the hype can be more dangerous than the vulnerability itself. Don’t fall for phishing scams that ask you to change your password, because there’s probably going to be a lot of spam emails addressing this.
I wanted to address this because even though I think of myself as tech literate, it tooks some digging to figure out what was going on and how it affected me, and it doesn't help that sites that were vulnerable like Yahoo! haven't really addressed the problem on their sites (though supposedly they fixed the issue, I actually still have no idea), and Tumblr suggested "change all your passwords!!!" earlier.
Good luck!
http://www.tomsguide.com/us/heartbl.....ews-18597.html
/EDIT
Unfortunately it seems there’s some misinformation floating around about the Heartbleed vulnerability you might have heard about. Some sites and news reports are suggesting you change all your passwords. While changing passwords often is a good idea, it might actually be a bad idea to do so right now.
The vulnerability still affects some sites, and changing your passwords can actually expose your old and new passwords, which are in more peril now that the word is out about this thing. There is really nothing you can do about it until the sites you log in to have updated their security.
Fortunately not every site is affected. I’ve been told that the “OMG 66% of the internet!!!” is a bit exaggerated. Many sites had a different version of SSL or were not using SSL at all. What sites? It took some digging, but I did find this list:
https://github.com/musalbas/heartbl.....r/top10000.txt
This may be outdated though. If you’d like to test whether or not a service you use is vulnerable, you can try this handy tool:
http://filippo.io/Heartbleed/
And finally, here’s an article that seems to be one of the more levelheaded ones out there:
http://www.forbes.com/sites/jamesly.....-to-stay-safe/
One thing they mention is the idea that the hype can be more dangerous than the vulnerability itself. Don’t fall for phishing scams that ask you to change your password, because there’s probably going to be a lot of spam emails addressing this.
I wanted to address this because even though I think of myself as tech literate, it tooks some digging to figure out what was going on and how it affected me, and it doesn't help that sites that were vulnerable like Yahoo! haven't really addressed the problem on their sites (though supposedly they fixed the issue, I actually still have no idea), and Tumblr suggested "change all your passwords!!!" earlier.
Good luck!
Thanks for the list/article links, though. I'd barely seen any news on this beyond maybe one or two articles on newssites I'd never heard of.
What exactly is heartbleed, and what are these sites vulnerable to exactly?
Sadly, the hard part is your second question: I don't know which sites actually WERE vulnerable (doesn't matter if they fixed it). Yahoo! and all its sites like Tumblr and Flickr were among the biggest though.
And for some people (too many actually), one password lost is all passwords lost. I know people that use only one password for almost all their logins. If they used the same password for their Indiegogo account as their Bank of America account, they're in trouble (BofA was not affected, but Indiegogo was, so you see the problem).
It also does not affect that version if SSL is not being terminated on it. So most large websites have at least some level of redirection when it comes to exploits. Fortunately in the application delivery controller area its rare to be vulnerable as most of those players implement their own SSL stacks (for this reason and for optimization).
Its important to scope breaches so that unneeded chaos does not spring from them.
~ Your Friendly Neighborhood Security Engineer
The problem is that using the latest and greatest* is popular among some of the rising stars, so they got bit in the arse.
There was one report on a UK news site that quoted an "expert" in saying "To stay off the internet for a few days" most of the news does scare the non tech savie
I can't remember how to make links clickable but oh well. c.c
http://mashable.com/2014/04/09/hear.....ites-affected/
Another really handy tester site is SSL Labs' own SSL Test Suite. It checks for Heartbleed along with a whole host of other things. Handy for finding lots of encryption issues with a website. Much more detailed than Filippo.
https://www.ssllabs.com/ssltest/
Microsoft: They rely on the LastPass tool, which does not actually check to see if the vuln is possible, it just gets a page and makes assumptions based on the server header. Microsoft is probably not vulnerable because they use application delivery controllers that are not vulnerable.
Twitter: They take the Twitter statement that they are not vulnerable and toss it out because Twitter patched things. Twitter is not vulnerable because they use application delivery controllers that are not vulnerable.
I think a better thing to do would be to change all of your passwords after a little while and then get into the habit of changing them once a year or so. Also, if you need to use the same password for more than one site, use different passwords for work, banking and other sites, this will help in avoiding issues like someone compromising a social site and getting a password that works for your bank account.