But does this hole needs to be fixed before changing passwords (changing passwords helps some). But what good if the hole is not fixed?
For your Tech Ping list...
[BBC] Heartbleed bug creates confusion on internet
[Krebs on Security] ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
I'm at a total loss to understand what is taking place regarding this hole. Guess I'm just plain stupid but hey I suspected such a long time ago.
http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/index.html
Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.
As sites fix the bug on their end, it's time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private -- email, banking, shopping, and passwords.
Don't change all your passwords yet, though. If a company hasn't yet updated its site, you still can't connect safely. A new password would be compromised too.
Many companies are not informing their customers of the danger -- or asking them to update their log-in credentials. So, here's a handy password list. It'll be updated as companies respond to CNN's questions.
Change these passwords now (they were patched)
•Google, YouTube and Gmail
•Yahoo, Yahoo Mail, Tumblr, Flickr
•OKCupid
•Wikipedia
Don't worry about these (they don't use the affected software, or ran a different version) [I think I will still worry anyway]
•Amazon
•AOL and MapQuest
•Bank of America
•Capital One bank
•Charles Schwab
•Chase bank
•Citibank
•E*Trade
•Fidelity
•HSBC bank
•Microsoft, Hotmail and Outlook
•PayPal
•PNC bank
•Scottrade
•TD Ameritrade
•U.S. Bank
•Vanguard
•Wells Fargo
Don't change these passwords yet (still unclear, no response)
•American Express
•Apple, iCloud and iTunes
“But does this hole needs to be fixed before changing passwords (changing passwords helps some). But what good if the hole is not fixed? “
Correct. Does no good to change until fixed. Plus lots of the really big sites weren’t affected anyway. So you wouldn’t even know where to change.
Not to mention this is all completely hypothetical anyway as there has been no documented case of this exploit being utilized.
Actually, I think “killer computer bug” is a new genre of media alarmism, akin to killer sun spots, the coffee crop will be wiped out, and the chocolate crop will be wiped out. Each of these surfaces in the media every two years like clockwork.
IMO this was not discovered by hackers. If it had been then it would have wound up being overused to the point where security firms would have gone searching for the flaw long ago. It would also have been picked up in short order by white hat guys that run everything that leaves their computers through a filter that looks for suspicious strings
and other things.
It may have been code planted in SSL by an NSA operative working on the open source code though.
Since Snowden, everyone is scrambling to encrypt everything end-to-end. This does not preclude snooping on an individual using a court order but end-to-end encryption for the bulk of net traffic means the end of wholesale snooping on everyone....NSA is saddened, it is what they have long feared.
Now to get real encryption for cell traffic instead of the gov approved weak crypto in use now.
Intrusion detection picked up the first attack on this exploit early this AM in the network I manage..
This site will test any domain to give you some idea of security and whether is is effected by heartbleed or not.
https://www.ssllabs.com/ssltest/