Bramblethorn
Sleep-deprived
- Joined
- Feb 16, 2012
- Posts
- 16,660
For those who haven't already seen, there's a hideous bug in one of the common implementations of SSL (used to keep your web traffic secure... when it works). The bug was present in code for a couple of years. It's unknown whether any of the Bad Guys were aware of this before it was publicly announced, but they certainly know now and you can bet they're scrambling to take advantage of it.
I'm not an IT security pro, but there's a good summary of the issue here.
For those who aren't running websites themselves, some things to do:
Use this tool to check the security of any website that has confidential information of yours. If they're vulnerable, nag them to fix it ASAP. (NB: in some jurisdictions it may be illegal to use tools to test for vulnerabilities, because lawmakers are idiots.)
NB: The tool above only checks whether they're currently using a vulnerable version of SSL. If they have updated but were previously vulnerable, it's possible that their security certificates were compromised; if this is the case they'll need to update certificates. (You should be able to check the issue data of a certificate via your browser; here's how to do it in Firefox and IE.)
If you're using Chrome, make sure your preferences are set to check for revoked certificates (see first link above for instructions). Unfortunately this is off by default in Chrome; I think FF and IE have it on by default.
Once the site and certificates check out OK and NOT before, change your passwords. Until then, avoid transmitting anything you want to keep secret.
Keep an eye out for any signs of unauthorised activity on bank accounts etc.
Watch out for phishing scams: you may well get emails saying "your password has been compromised, click here to reset it". Don't fall for it. Type in the website address yourself.
Be very nice to anybody you know who is in IT security; they're having a bad week.
(And if I have any of this info wrong, please correct me!)
I'm not an IT security pro, but there's a good summary of the issue here.
For those who aren't running websites themselves, some things to do:
Use this tool to check the security of any website that has confidential information of yours. If they're vulnerable, nag them to fix it ASAP. (NB: in some jurisdictions it may be illegal to use tools to test for vulnerabilities, because lawmakers are idiots.)
NB: The tool above only checks whether they're currently using a vulnerable version of SSL. If they have updated but were previously vulnerable, it's possible that their security certificates were compromised; if this is the case they'll need to update certificates. (You should be able to check the issue data of a certificate via your browser; here's how to do it in Firefox and IE.)
If you're using Chrome, make sure your preferences are set to check for revoked certificates (see first link above for instructions). Unfortunately this is off by default in Chrome; I think FF and IE have it on by default.
Once the site and certificates check out OK and NOT before, change your passwords. Until then, avoid transmitting anything you want to keep secret.
Keep an eye out for any signs of unauthorised activity on bank accounts etc.
Watch out for phishing scams: you may well get emails saying "your password has been compromised, click here to reset it". Don't fall for it. Type in the website address yourself.
Be very nice to anybody you know who is in IT security; they're having a bad week.
(And if I have any of this info wrong, please correct me!)
Last edited: