OpenSSL Bug

Indeed.

While this is a major issue from a technical point of view, there is little point in changing any passwords until:

a) you know that the service involved actually used OpenSSL, and
b) that they have updated their servers to solve the problem

The full technical details can be found here: Heartbleed Bug

As far as not using online banking and other (all) services, given that this bug has been present in the OpenSSL codebase since 2012 then it is unlikely to make a significant difference. I appreciate that there will now be a lot of people trying to exploit this wherever possible, but online financial transactions clearly can't be stopped overnight so for any given individual, the likelihood of compromise is low.

Ultimately, the guidance is to check what online services are affected by the Heartbleed bug by using this list: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt and if one you use is on it, check that services information pages for their plans on fixing the issue and then change your password / follow their advice after the fix has been conducted.

For any personal banking (or other) website you wish to check which is not listed, please see this tool: Test your server for Heartbleed (CVE-2014-0160) (this is what was used to compile the aforementioned list).

I hope that puts people's minds to rest somewhat, the mainstream media simply isn't able to translate something this technical into sensible guidance.
 
Apparently top sites such as Facebook, Google, Microsoft that use HTTPS haven't been affected as they use a version that is not affected if I'm correct.

---------- Post added at 12:46 PM ---------- Previous post was at 12:45 PM ----------

Apparently YAhoo has already been affected https://soundcloud.com/owasp-podcast/melissa-elliot-on-the

---------- Post added at 12:48 PM ---------- Previous post was at 12:46 PM ----------

You can also tests site that use HTTPS using this website https://www.ssllabs.com/ssltest/index.html
 
Apparently top sites such as Facebook, Google, Microsoft that use HTTPS haven't been affected as they use a version that is not affected if I'm correct

You are correct yes, but it's not a version of HTTPS (known as SSL 3.x / TLS 1.x) which makes you vulnerable or not, simply the cryptographic library that you're using to implement the HTTPS protocol (i.e. OpenSSL). In Facebook/Google/Microsoft cases they could be using any of the other providers.
 
OMG!!!! I just heard of this in the news!!!!

Is the best advice to change all passwords? Is it safe to even surf the web???

By the way, I heard Yahoo! was even affected. I don't check my Yahoo! email account at home, but I HAVE browsed various Yahoo! webpages (like their sports), so would simply THAT have infected me?

I stopped checking my Yahoo! email account at home after they had that meltdown late last year where millions of people had malware installed on their computers. ....Why is Yahoo! - a MAJOR company - so bad with this stuff? GRRRR!!!!
 
Last edited:
OMG!!!! I just heard of this in the news!!!!

Is the best advice to change all passwords? Is it safe to even surf the web???

By the way, I heard Yahoo! was even affected. I don't check my Yahoo! email account at home, but I HAVE browsed various Yahoo! webpages (like their sports), so would simply THAT have infected me?

I stopped checking my Yahoo! email account at home after they had that meltdown late last year where millions of people had malware installed on their computers. ....Why is Yahoo! - a MAJOR company - so bad with this stuff? GRRRR!!!!

Good reading about this here: The Heartbleed Hit List: The Passwords You Need to Change Right Now
 
Is the best advice to change all passwords?

No, not at all - see my earlier post and associated links for all those sites which are vulnerable.

Is it safe to even surf the web???

Yes, provided the sites you're logging in to either a) aren't vulnerable or b) were vulnerable, but have now been patched and you've changed your password (obviously on first re-login).
For those sites which are vulnerable, browse in non-https where possible (obviously without logging in)

By the way, I heard Yahoo! was even affected. I don't check my Yahoo! email account at home, but I HAVE browsed various Yahoo! webpages (like their sports), so would simply THAT have infected me?

Exploiting this vulnerability does not result in an infection on the end user machine, it is an information leak between the server and connect clients. Worst case, a portion of your machines RAM would be visible to the exploited server. To reiterate, you do not get a virus or any malware through this 'attack', it is completely transparent and undetectable from the client machine.

I hope that clarifies things for you.
 
As _michaelm already stated there is no point to changing your password until the website affected has patched the hearbeat update from which the heartbleed bug comes from. Until that group gets the update (for which there is already one available and several groups have already upgraded) there is no point to changing your password, once your group does install the new update however it would be wise to then change your password!


Sent from my GT-N5110 using Computer Forums mobile app
 
Back
Top Bottom