Stories
Slash Boxes
Comments

SoylentNews is people

OpenSSL: Heartbleed - the Fallout.

posted by janrinok on Thursday April 10 2014, @09:45PM   Printer-friendly
from the security-is-important dept.

After reporting the problems with OpenSSL, which has been nicknamed 'HeartBleed', 2 contributors have forward articles on why you should change your passwords.

Heartbleed, and why you should change your password

I always believed Mojang would keep my details safe, now I realise they are not in control of their own data. Mojang/Minecraft passwords should be changed immediately

Heartbleed Bug: Change All Your Passwords

An anonymous coward writes:

The fallout from the Heartbleed bug is hitting the mainstream. The BBC has an article headlined "Public urged to reset all passwords".

Bruce Schneier calls it "catastrophic", giving this advice to sysadmins: "After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." He also links to a webpage that will let you test servers for the bug, and an article on Ars Technica discussing the bug.

 
This discussion has been archived. No new comments can be posted.
OpenSSL: Heartbleed - the Fallout. | Log In/Create an Account | Top | 43 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by tomtomtom on Thursday April 10 2014, @10:53PM

    by tomtomtom (340) on Thursday April 10 2014, @10:53PM (#29752)

    Is there a list/way of checking for sites/servers which *were* exposed to the bug, but have now fixed it? If they are still exposed to the bug, I can stop using them but if they aren't then what I really want to know is if I need to change my password if they're not affected. Sort of like Have I been Pwned? [haveibeenpwned.com] but for this bug.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 3, Informative) by mattie_p on Friday April 11 2014, @12:11AM

    by mattie_p (13) on Friday April 11 2014, @12:11AM (#29777) Journal

    As I posted elsewhere, check out this site [filippo.io] to test sites you use.

    • (Score: 1) by tomtomtom on Friday April 11 2014, @08:30AM

      by tomtomtom (340) on Friday April 11 2014, @08:30AM (#29918)

      Unfortunately that one only tells you if they are *currently* vulnerable, not if they previously looked like they were unless I'm missing something. For example, putting in www.soylentnews.org says "All good, www.soylentnews.org seems fixed or unaffected!" ie it only talks about how it responds now. Still useful, since that means it's safe to change passwords on that site but not what I was hoping for.

  • (Score: 1) by Bob The Cowboy on Friday April 11 2014, @02:32AM

    by Bob The Cowboy (2019) on Friday April 11 2014, @02:32AM (#29817)

    Unfortunately, the bug has been in the wild for 2 years or so. A site could have been exposed and patched (perhaps unkowingly, maybe even switched to another OS version) before this made headlines, so there would still be a vulnerable window where a bad actor could have been able to exploit. You should pretty much assume that any site that uses SSL could have been affected.