"After ‘Catastrophic’ Security Bug, the Internet Needs a Password Reset"

[IContainMultitudes]

After ‘Catastrophic’ Security Bug, the Internet Needs a Password Reset | Enterprise | WIRED

I just got finished changing a bunch of my passwords just to be on the safe side (most of them were probably way overdue for changing anyway).

 

[Brent]

Yes we had to patch our servers. Luckily we weren't on SSL before so we weren't vulnerable.

 

[Ereth]

Looks like I'll have to start resetting my passwords . . . darn.

 

[Kari Suttle]

Wait what types of sites is this for? For all sites? I'm confused.

 

[Ereth]

Kari, the article said that this security breach has the potential to affect quite a bit of the Internet at large. Is it something to panic about? No. Should we take appropriate measures to counteract security risks? Yeah, probably.

 

[King_Oni]

The Heartbleed Hit List: The Passwords You Need to Change Right Now

This list should give people an idea about sites of which they should change their passwords. However, I think it's better to be safe than sorry and change them all while you're at it.

 

[Sev]

Wow, this is one heck of a disaster. Thanks for notifying us, I don't check the news to often and probably would have missed this.

 

[Kari Suttle]

Thanks for posting this. Without this I wouldn't have known about it or known what to change.

 

[Ereth]

Thanks, Oni. I don't have to change as many passwords as I thought I did. Whew!

I also found this today:

How to tell if Heartbleed could have stolen your password, and when it’s safe to change it

There are some tools mentioned in the article that people can use to check if a website is vulnerable. I've just installed Chromebleed.

 

[Judge]

It's always good security to change all passwords periodically whether there is a need to or not.

 

[IContainMultitudes]

xkcd: Heartbleed Explanation

 

[Tarragon]

really? That simple an oversight? I've seen it posted on google news that the security agencies have been aware of this bug for years and used it to trawl data. I reckon if this is the case, then someone other than their allies have got wind of this and so it's time to fix the bug. Ah well, paranoia rules!

 

[Ravkrat]

Eh the worst people can do/get from me is some pron..sometimes it's good being broke

 

[dragonwolf]

really? That simple an oversight? I've seen it posted on google news that the security agencies have been aware of this bug for years and used it to trawl data. I reckon if this is the case, then someone other than their allies have got wind of this and so it's time to fix the bug. Ah well, paranoia rules!

A. It probably wasn't "that simple of an oversight." Nearly everything in technology that seems simple to the layman is anything but (ie - the inner workings are by no means simple, even if the end result appears to be so).

B. OpenSSL is a very large open source project. That means there are potentially thousands of pairs of eyes that look at it at any given time, and anyone who wants to can download the source code and tinker with it. This is actually what makes it so secure (because bugs are found, fixed, and submitted through a code review process by anyone who wishes to help out). It also means that the odds of any one person or group finding something of this magnitude and being able to sit on it for years, if not decades, is pretty much nil, because if one person finds it, someone else will, too.

(Side note -- I can't tell if you, Tarragon, actually believe what you've written, so this goes off the assumption that you do. If you don't, then this is then simply for those who may have seen the statement you were referring to and actually believe it, or otherwise don't understand how stuff like this works.)

 

[Tarragon]

The cartoon illustrated a simple programming error. Perhaps the real big was more complicated, but if it wasn't it was an error you'd expect a schoolboy programmer to make rather than someone designing a secure protocol!