After reporting the problems with OpenSSL, which has been nicknamed 'HeartBleed', 2 contributors have forward articles on why you should change your passwords.
I always believed Mojang would keep my details safe, now I realise they are not in control of their own data. Mojang/Minecraft passwords should be changed immediately
The fallout from the Heartbleed bug is hitting the mainstream. The BBC has an article headlined "Public urged to reset all passwords".
Bruce Schneier calls it "catastrophic", giving this advice to sysadmins: "After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected." He also links to a webpage that will let you test servers for the bug, and an article on Ars Technica discussing the bug.
(Score: 3, Insightful) by J053 on Friday April 11 2014, @02:07AM
You may be entirely correct - the NSA might have MITM capabilities at all Tier1 providers, data centers, etc. That still doesn't mean I want any script-kiddie would-be criminal to be able to snarf my data by hitting a website while I happen to be logged in. I don't trust our Government (or any government, for that matter), but I trust random Internet users even less.
OK - so all your personal data is known to the NSA - really, so what? I know what They (you know, THEM) could do with all that, but what are the odds? If you're a rabid anti-gov activist, or some kind of threat to the powers-that-be, or a spy/drug dealer/Mafioso/whatever, you're justified in being worried about the Gov. watching your packets. For the rest of us, while it *seriously* pisses me off that they are monitoring us as (we've been told) they are, I'm not worried that anyone at NSA is going to run up my credit cards or empty my bank account - if the SSL bug was not fixed, I'd have to worry about that happening by anyone from anywhere.
The (alleged) fact that the NSA is monitoring communications metadata is not a reason to not tighten up our security. In fact, this is a great opportunity to re-do all the root certs out there - maybe move to more sites using self-signed certs; it's harder for the p-t-b to compromise them, and surely we can come up with some way for end-users to confirm that a self-signed (or organizational CA-signed) cert is valid without needing a heirarchical PKI.