thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn
Please Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1], possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.

Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed

and enter the website name without the http or https bit, to check if the service is vulnerable.

If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).

If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html

If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.

Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.

Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.

If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.

If you have too many sites to check them all, you might want to prioritise. Here's [personal profile] skud on why You don’t need to change all your passwords.

You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html

ETA: A "big sites" hitlist of who you *should* change your passwords with: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April: https://github.com/musalbas/heartbleed-masstest/blob/b72a87558bfe37cd40327ec8b72386a2a2b99c69/README.md#627-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc
From:
Anonymous
OpenID
Identity URL: 
User
Account name:
Password:
If you don't have an account you can create one now.
Subject:
HTML doesn't work in the subject.

Message:

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org


 
Notice: This account is set to log the IP addresses of people who comment anonymously.
Links will be displayed as unclickable URLs to help prevent spam.

April 2015

S M T W T F S
   1234
567891011
12131415 161718
19202122232425
2627282930  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags