Heartbleed Bug - Are You Safe?

[NippleMuncher]

Here are three links to help you figure out if the sites you frequent are safe and whether or not you need to change your passwords.

LastPass Password Manager will automatically log you in to any websites that you use frequently, instead of having to manually type in Pwords with each visit. Highly recommended by all users of it. It is worth checking out.

If you are unaware of the Heartbleed bug this link will tell you about it and how it affects you.

Lastly, LastPass has a free site checker tool to see if the sites you use have the bug fixed or not. Some have, some have not, some were never affected.

Here are the links:


LastPass Password Manager

About Heartbleed

LastPass Heartbleed checker tool

 

[VelvetCascade]

I've changed some passwords, but I've wondered if it was necessary.

 

[Cathleen]

Thanks, Nipply, I appreciate the help learning about this. You're a good guy.

 

[NippleMuncher]

I've changed some passwords, but I've wondered if it was necessary.

That's the great thing about the last link, it tells you what's safe and what isn't. I've also learned that if the prefix of the website, the http part, if it ends with an "S" that it's the updated, bug free version. I think that's how it was explained to me.

Thanks, Nipply, I appreciate the help learning about this. You're a good guy.

Hey, gotta watch out for my peeps! You're welcome, hopefully this info will help more than a few people stay safe.

 

[Emerson40]

FYI - The "About Heartbleed" link appears to be broken, probably due to an update.

Thanks for sharing the info Masticator de Nipplage.

 

[NightL]

list of safe sites/patched and recommendations
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

 

[GiggLeGasm]

Thanks, Night..

I'm hesitant to trust the list entirely because it was based on self-reporting of the companies contacted. I called Groupon this past year to let them know that my credit card number was stolen from their site. It was the only place I'd ever used the credit card that I had owned for about a year and 12+ purchases were made on it within 48 hours of the Groupon purchase.

They assured me that I was wrong (without agreeing to investigate the situation) because "we have a state of the art security system"

So when they say that they weren't vulnerable.. yanno..

That being said.. I'm headed right now to change my passwords!

 

[silverwhisper]

thanks, NM!

GLG, you should lodge a complaint with groupon. the way to treat your customers is not to dismiss how your concerns!

ed

 

[NippleMuncher]

I believe that's incorrect about the http v https, Nip.

That is entirely possible, I am not a techie, I can only offer the links which should have all the info you need.

FYI - The "About Heartbleed" link appears to be broken, probably due to an update.

Thanks for sharing the info Masticator de Nipplage.

It should be fixed now. Looks like Lit truncated a long link, so they have all been turned into buttons.

thanks, NM!

You're welcome.

 

[Texguy84]

I've seen LastPass mentioned before, but I'm wary about putting all of my eggs in someone else's basket, you know?

 

[Bramblethorn]

I believe that's incorrect about the http v https, Nip. My understanding until the service advises they have patched it, then there is no point updating your password. You would have started to receive emails about it. I have had emails from gmail, pinterest, instagram for example, advising that they have patched and you need to change your password. Many have fixed the problem, many haven't. Until they have there is no point updating your password/s.

Seconding this. https means that the site is supposed to be secure, but on its own it doesn't tell you whether they're using a vulnerable version of SSL.

BTW, can I double-check that you got an email from Google saying to patch? I haven't seen anything like that on my gmail accounts.

 

[NightL]

BTW, can I double-check that you got an email from Google saying to patch? I haven't seen anything like that on my gmail accounts.

This is not about us patching - it is about the companies patching their server software.

We need to change our passwords - but this is only effective for the sites that have patched their software. If they have not patched yet then you are still vulneraale.

Have a look at my previous post in this thread

 

[Texguy84]

Here is a list of websites affected by the bug, and recommendations about changing your passwords.
While this just kinda covers the major websites, i have changed all of my passwords to hopefully be safe
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Well, like mentioned above, if the site is still vulnerable, changing your password doesn't make your account on the site not vulnerable. But changing your passwords periodically is good practice anyways.

 

[Bramblethorn]

This is not about us patching - it is about the companies patching their server software.

We need to change our passwords - but this is only effective for the sites that have patched their software. If they have not patched yet then you are still vulneraale.

Have a look at my previous post in this thread

Yeah, my brain meant "change password" but my fingers didn't get the message.

However, there may also be a need to patch at the user end; some apps also use OpenSSL. One of the recent (not the latest) versions of Android OS is vulnerable, IIRC.

Also, a lot of places have been updating SSL without revoking their old certificates. That leaves the risk that somebody could have extracted their private key before the patch, in which case the patch doesn't do much good without a certificate change.

 

[GrrlFriday]

Something that I've recently picked up, as a browser extension, is HTTPS Everywhere - if a site has a more secure, HTTPS version available (and that's an IF), the extension forces your browser to use it automatically. Some websites don't seem to work very well with HTTPS Everywhere installed, but that just seems to be the price of semi-privacy.

If anyone's still interested in it, you can find it here:

https://www.eff.org/https-everywhere

NoScript has a similar functionality:

http://noscript.net/

 

[EruditeHobo]

.............................

 

[NightL]

However, there may also be a need to patch at the user end; some apps also use OpenSSL. One of the recent (not the latest) versions of Android OS is vulnerable, IIRC.

Can you please provide links for further information on this particular area.

 

[NippleMuncher]

Something that I've recently picked up, as a browser extension, is HTTPS Everywhere - if a site has a more secure, HTTPS version available (and that's an IF), the extension forces your browser to use it automatically. Some websites don't seem to work very well with HTTPS Everywhere installed, but that just seems to be the price of semi-privacy.

If anyone's still interested in it, you can find it here:

https://www.eff.org/https-everywhere

NoScript has a similar functionality:

http://noscript.net/

I use both NoScript and a Cookie blocker, it's a bit of a pain in the ass for general surfing, but, it does keep a good percentage of the spam and annoying ads at bay.

 

[Bramblethorn]

Can you please provide links for further information on this particular area.

http://www.itnews.com.au/News/382681,heartbleed-redux-private-ssl-keys-routers-clients-exposed.aspx

Magnifying the Heartbleed problem, it's not just servers that are vulnerable, but also client systems running affected versions of OpenSSL.

Web collaboration company Meldium discovered it is possible to set up a malicious server that can send out bad Transmission Layer Security (TLS) heartbeat packets to clients and extract the contents of their memory.

"We've found that vulnerable clients can actually be made to send hundreds of 16 kilobyte chunks of memory back, making it much easier to explore the client's memory space," Meldium wrote.

Open agents or clients that execute such tasks as previewing links, file sharing apps, identity federation protocols such as OpenID and application programming interface consumers for integration across websites are potentially vulnerable to "reverse heartbleed" if they utilise vulnerable versions of OpenSSL.

...

Billions of devices that use OpenSSL could also be vulnerable to Heartbleed, and these will be harder to remedy.

Networking infrastructure vendor Cisco issued a Heartbleed security advisory covering several of its products, ranging from switches to the Webex Messenger and Jabber clients, to access gateways, Telepresence systems and more.

An unknown number of consumer grade devices such as broadband routers are thought to be vulnerable to Heartbleed, with no patches available. Security commentator Bruce Schneier said for these "an upgrade path that involves the trash, a visit to [retailer] Best Buy, and a credit card isn't going to be fun for anyone."

According to Forbes, Google has acknowledged that Android 4.1.1 is vulnerable to Heartbleed and has distributed patching information to its device partners. Android version 4.1.x is the most popular version of Google's operating system currently, garnering 34 percent market share.

Security vendor Trend Micro has scanned 390,000 apps from Google play, and found 1300 connect to servers vulnerable to Heartbleed. Fifteen of the apps are bank-related, Trend Micro said, and a further 39 used for online payments and another ten are online shopping ones, raising concerns as to customers financial transactions being compromised without notice.

 

[Bramblethorn]

I use both NoScript and a Cookie blocker, it's a bit of a pain in the ass for general surfing, but, it does keep a good percentage of the spam and annoying ads at bay.

Disconnect, Ghostery, and HTTPS Everywhere on mine. It's interesting seeing the Ghostery notification box pop up with about two dozen tracking sites when I visit a new page. Literotica is relatively good - as far as I can tell, the only thing they're running is Google Analytics.

Seems like a pretty good mix; I don't think I've ever had a problem caused by those extensions.