Heartbleed vulnerability - change your passwords


#1

I’ve been changing a lot of passwords since yesterday. You probably should too:

http://heartbleed.com/

https://www.mattslifebytes.com/?p=533

Check websites for it:
https://lastpass.com/heartbleed/

Edit: Check here as well: https://www.ssllabs.com/ssltest/


US to Angela Merkel: no, you can't see your NSA file but we promise we aren't spying on you anymore
Condoleezza Rice, surveillance and torture fan, joins Dropbox board
#2

I just heard on the radio that you should check to see if a site has patched the vulnerability before changing your password. Obviously, if a site is still vulnerable, then changing your password will accomplish nothing, except giving you a false sense of security.


#3

Right, good advice, the second link in my post above already mentioned it here (but I should have made that more clear in my post):

‘’ … Mark McCurley, senior information security advisor at Identity Theft 911, said Lastpass.com/heartbleed can help you check to see if a site is vulnerable. You can also ask the company or website if they have fixed potential flaws, then update to a strong password."

I’ve only changed passwords at sites who’ve updated, etc.

I’m pretty surprised boing boing hasn’t mentioned this yet. It’s one of the worst security issues in the history of the Internet. It effects nearly everyone no matter what OS or browser you use.

Email… banking… etc. — It’s a privacy and security disaster.

Here’s some good info:

First, to be clear, you don’t need to change any passwords or PINs you use to log into a Windows PC, Mac or mobile device. For the most part, personal computers, smartphones and tablets are not directly affected by Heartbleed.

There’s also a more detailed list, but here’s some of the top ones:

Sites for which you will definitely need to change your password

Yahoo, including Yahoo Mail and any Yahoo Group

Flickr (Yahoo subsidiary)

Tumblr (Yahoo subsidiary)

Sites that have asked users to change their passwords, or are making them do so

Ars Technica

IFTTT.com

Trillian

These sites patched their servers after the public disclosure, and it’s safe to change your password on them.

(Sites that were, or may have been, vulnerable to Heartbleed)

Archive.org

Dropbox

DuckDuckGo

Electronic Frontier Foundation

Etsy

Eventbrite

HideMyAss.com

LastPass

Wordpress.com

Wordpress.org

Wikipedia

Woot

Sites that may still be vulnerable to Heartbleed (as of 04-10-2014 Thu)

Do NOT change your password on any of these sites until they say they have patched their servers. Otherwise, attackers could capture your new password as well.

The Atlantic

Breitbart.com

The Economist

Imgur

IndieGoGo

Netflix

OK Cupid

Outbrain

Rolling Stone

Stack Overflow (ut oh… @codinghorror )

See link above for larger list, including some that are considered “safe”.


#4

I don’t know where you’re getting that from, but it is not correct as of 2 days ago…


#5

I don’t know where you’re getting that from

See link above. You should contact them to update their story: Email jscharr@techmedianetwork.com

It’s one of the top stories on Google News, etc. so I’m sure a lot of people are reading it.


#6

If anyone is wondering what this vulnerability is about, and why it is so serious, XKCD has given a nice succinct description.


#7

Local passwords are definitely at risk since they might have been sniffed from the clear text, though you only get a random block of memory, so it’s really haphazard.

However the crown jewels, the private key certificates, may be at less risk than originally thought…


https://www.cloudflarechallenge.com/heartbleed


#8

the crown jewels, the private key certificates, may be at less risk than originally thought…

Maybe so, but they certainly still appear at risk:

Private crypto keys are accessible to Heartbleed hackers, new data shows

FTA:

Contrary to previous suspicions, it is possible for hackers exploiting the catastrophic vulnerability dubbed Heartbleed to extract a private encryption keys from vulnerable websites, Web services firm Cloudflare reported Saturday.

As recently as yesterday, Cloudflare published preliminary findings that seemed to indicate that it would be difficult, if not impossible, to use Heartbleed to get the vital key that essentially unlocks the secure sockets layer padlock in millions of browsers. To be extra-sure, Cloudflare launched “The Heartbleed Challenge” to see how other people exploiting Heartbleed might fare. The company set up a nginx server running a Heartbleed-vulnerable version of OpenSSL and invited the Internet at large to steal its private key.

Just nine hours later, software engineer Fedor Indutny and Ilkka Mattila at NCSC-FI had obtained the server’s private keys using nothing but the Heartbleed vulnerability. As of this writing, CloudFlare had confirmed a total of four winners: Rubin Xu, a PhD student in the Security group of Cambridge University, as well as security researcher Ben Murphy.


#9

Update:


#10

This topic was automatically closed after 1045 days. New replies are no longer allowed.