Jump to content


In case you didn't know - Heartbleed Bug

Recommended Posts

I know this should be posted on "Chat" but I wanted to be certain others saw it.


"As you’ve probably heard, the Heartbleed bug exposes websites that use a popular encryption technology to malicious attacks, and some of your passwords—and personal data—may well have been compromised. The vulnerable software, OpenSSL, is used to encrypt something like two-thirds of all sites on the web.


Who’s affected?


Github user Mustafa Al-Bassam performed a mass scan for vulnerable sites at 16:00 UTC (noon eastern time) on April 8th. It features over 10,000 websites, and he found that 627 of them were vulnerable to the bug. Yahoo sites (including email and Tumblr) were vulnerable, as was the popular dating site OkCupid.


What you can do now


We recommend searching the list linked above for your email provider, bank, and so on. Keep in mind that many of the sites that were vulnerable yesterday have since fixed their security problem. Check your inbox—if a site you use has been made safe again, they’ll have emailed you to let you know.


If you find yourself about to log in to a page that isn’t on the GitHub list, you can use this open source Heartbleed test to be sure it’s safe. That test attempts to interact with the site and extract a small amount of memory from it, mimicking the actions of a hacker stealing data, and alerts you if the site is vulnerable. If you use Chrome for your browser, you can get an extension that runs the test on command.


If you find that a site is still vulnerable, don’t enter any passwords or data that it doesn’t already have.


Why you need to hold off on changing your password


It’s tempting to freak out and change all your passwords immediately, but there’s no point in doing so before the sites you use are fixed—or else someone could just steal your new password. If one of the sites you use is vulnerable, make sure all other sites you use have unique passwords. (Many hackers will try to get into your other accounts using the one password they’ve found, because they know how lazy we are about coming up with new passwords.) At this point, it’s more prudent to wait for good news first. Once you’ve gotten the okay, take this opportunity to make your passwords extra secure. Or just give up and make them all Password1234."



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...