Hey guys I just logged into my computer and this warning came up saying heartbleed bug? Apparently some sites are unsafe and our passwords are at risk? People can get into our credit cards? I'm really worried.. Has anyone else got a warning? What have you done about it?
It's SSL heartbleed which endangers sites using OpenSSL. Troy Hunt: Everything you need to know about the Heartbleed SSL bug
^No, it's a bug that was found in the security software of many servers. Doesn't mean don't log in. Just means you're gonna want to change your password asap.
I have like a gazillion ones... Well apparently my bank and amazon aren't susceptible. Maybe ebay I might go change and my yahoo mail...
And only on sites that use versions of OpenSSL that were released in the last two years (and not even all of them.) Which still means roughly 3/4 of the Web. And, although passwords and credit cards are bad enough, that's just fish... The fishing rod is that a hacker can get private keys to SSL certificates and use them to set up all kinds of attacks, up to and including Stuxnet-style trojans, which staid undetected because they were signed with a stolen keys from legit hardware manufacturers. Only this time around a hacker doesn't need to be whatever major intelligence agency wrote them, he just needs one unpatched server... So, that lock icon or that driver certificate won't mean what they used to mean for quite a while...
Most reputable providers (including our ISP) updated their servers within a few hours of the bug being reported. You should still change passwords out of an abundance of caution, but the exploit was not widely known, and once discovered, major providers (Google, Facebook, cloud providers) were made aware of the bug and fixed it before a public announcement was made. So for the most part, things should be pretty safe at this point if you stick with major companies... and within a few days, I think just about every server on the Net will likely have been updated.
As far as widely-used services by major Internet companies go, probably yes... And I expect them to eventually do the right thing and re-certify too, just in case. But would every Boondocks Banking Co. and Obscure Semiconductor LLC be as prompt? (and if I was the bad guy in it for the money or a spy those would be my prime targets, not Yahoo or Google. Same reward, much less risk.)
How do you know when a website has fixed the problem on their end so you know it's safe to change your password?
It was a TLS heartbeat read overrun that is found in OpenSSL versions 1.0.1 to 1.0.1f. It was fixed in 1.0.1g. An attacker could use the buffer overrun to read up to 64K of secret data from a web server. It is possible that some SSL private keys may have been compromised, and attackers were able to either impersonate the organization running the website and/or to steal private information like user credentials and financial information. We do not know the scope of the compromise.
Here's a site with a short list of sites affected or not affected, Will changing your password really protect you from Heartbleed? | Mail Online
Man, this is evil... This is why I use hundred-charachter passwords on my sites that allow it (stupid Microsoft).