I know I should check my messages faster. I am trying to clear them all during my vacation. Copied and pasted from
Update 4/11: XKCD explains:
xkcd.com/1354/ For those of you nervous about going to XKCD, they don't even encrypt, and Heartbleed operates on an encryption scheme, so I wouldn't worry about it unless you feel like shopping there.
Some of you may have seen some news fervor relating to something called "HeartBleed," and heard reports of 50-63% of the web being effected, passwords and credit cards being at risk, etc. I have good news and bad news.
The REALLY bad news is that panicking about this can actually make you MORE vulnerable to it. If you just freak out and go change your passwords on everything, you are actually in more danger than if you left sites you don't visit daily alone. Read along to find a guide to keeping yourself safe.
The mildly bad news is that while a lot of news sources are getting little details wrong, Heartbleed is a real threat to your security. It has been reported on by a number of websites. My favorite off-site writeup on this issue is on
Forbes, but I became aware of the issue from an LA Times link and I've heard the NYT has covered it as well. Reputable news sources are backing this.
The good news is that a number of sites, including Forbes, have vetted an online tool that can help you determine if sites you use are vulnerable, and there are easy ways to deal with sites that were never vulnerable, sites that were never down, and sites that are not yet patched. (The main reason I say that Forbes has vetted the tool is that its URL is kinda shady looking).
What is Heartbleed
Heartbleed is a bug that's been in one of the encryption things a lot of websites use for a long time. It allows hackers to pull data from sessions. They can't pull everything and have little control over what they do pull, from my understanding but a sophisticated hacker can get passwords, credit cards, and other information from it.
What this means is that if you log in, or apparently even LOG OUT, of a site that isn't patched, your information could be stolen. And possibly already has.
Honestly, the best writeups I've seen on this issue are here on dA. THese guys handle it much better than I have:
IMPORTANT: Change your passwords!Earlier today, web security experts just discovered a MASSIVE security hole that they're naming "Heartbleed". Read more about it here or here. Heartbleed affects OpenSSL, the most popular software used to encrypt data on the Internet. It's the software that's supposed to keep your usernames, passwords, and credit card information safe from the rest of the world when you log in or buy things.
On affected servers, that means encrypted data is worse than useless: not only can attackers intercept information as if the encryption weren't there, but they can also decrypt any older data that might be sitting around. They can also use these keys to impersonate legitimate websites and fool browser security checks.
There's no way to fix this, besides waiting for servers to
HeartBleed - Why your privacy is currently at riskTHIS IS IMPORTANT. EVERYONE WHO BROWSES THE INTERNET IS AT RISK.
Please take a few minutes to read through this site: http://heartbleed.com/
From the site:
Am I affected by the bug?
You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you
For what it's worth, I can't get to heartbleed's site. Chrome bitches about its certificate.
How to Protect Yourself
A lot of this is going to be more or less lifted from
Mewitti's journal, just laid out in a much more pedantic way. I'm sorry for that, but I figure better safe than sorry.
Please follow these steps more or less exactly so you don't shoot yourself in the foot.1. Check the current status of your site using fillipo's checker AND the Github List
The first thing to do is to check the site you want to use through Fillipo's checker, which has been vetted by Forbes.
Fillipo's checker:
filippo.io/Heartbleed/Please note that Fillippo's checker doesn't seem to discern between sites that were never affected and sites that were, but patched things.
Then check the Github list, which has popular websites and seems to be from earlier in the crisis. I got a LOT of errors using Fillipo's checker!
github.com/musalbas/heartbleed…2. DO NOT VISIT sites that report a problem through the checker or list until they announce that they have fixed the error.
This is serious. It sounds like any information that goes between your computer and the server can be unencrypted if it just happens to be in the right place in memory, so just don't go there. Don't even go in to log out!
3. Change your passwords for sites that are safe.
Even if the site has never been effected, what if you used that password elsewhere? What if you had the same password when the site was sing a previous version of SSL that might have been vulnerable. Just change it.
4. Monitor the news closely.
This will make big news soon, and more information about how to protect yourself will not only come out, but start coming from more traditional and reliable news sources. This journal is sort intended as a patch to help get knowledge out there.
I'll do my best to answer questions, but I'm not really an expert. I'm just good at harvesting information. Let me know if I can help.
