PSA: Heartbleed Secure Web Vulnerability
2014-Apr-10, Thursday 09:31![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnPlease Share Around: So, you may or may not have heard about "Heartbleed". A significant proportion[1] , possibly 2/3rds of all "secure" web servers out there are currently essentially insecure (could be snooped on by anyone on the Internet), and this may have been the case since Mar 2012. The bug was publically announced on 7th of April 2014.
Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed
and enter the website name without the http or https bit, to check if the service is vulnerable.
If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).
If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html
If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.
Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.
Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.
If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.
If you have too many sites to check them all, you might want to prioritise. Here'sskud on why You don’t need to change all your passwords.
You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html
ETA: A "big sites" hitlist of who you *should* change your passwords with: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
[1] ETA: Something like 6-10% of all sites, judging by this scan - Here's a list of 627 sites that were vulnerable on 8th April: https://github.com/musalbas/heartbleed-masstest/blob/b72a87558bfe37cd40327ec8b72386a2a2b99c69/README.md#627-of-the-top-10000-sites-appeared-vulnerable-on-april-8-1600-utc
Right now, before you log in to any secure website (has the little lock icon), you should go here: http://filippo.io/Heartbleed
and enter the website name without the http or https bit, to check if the service is vulnerable.
If that doesn't work, try: https://lastpass.com/heartbleed (but that reports a lot of false "maybe"s, so it's not as useful).
If that still doesn't work, for an even more full on SSL test, go here: https://www.ssllabs.com/ssltest/index.html
If the service is reported as vulnerable - DO NOT LOG IN. Go and register a support complaint with that website, point them at http://filippo.io/Heartbleed and http://heartbleed.com/ and wait until they fix the problem. If you do log in and use the website, be aware that your login details (and anything else you send to/from that site) can be stolen by anyone on the Internet. Literally. It is that bad a bug.
Problematically, if you use smartphone apps that connect to a secure service at the back end, many of them may well be vulnerable, but you have no way of knowing. If you know what their website is, go test that, as they may be using the same service to provide their website.
Reliable secure service providers are starting to notify their customers of the situation and recommend changing your password.
If you know a service has been vulnerable to this bug, it is very much in your interest to change your password the moment it is fixed. Now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If you're an Apple only person, the iCloud Keychain is quite good (I'm told) and free, otherwise I highly recommend 1Password ( https://agilebits.com/onepassword ). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free.
If you have too many sites to check them all, you might want to prioritise. Here's
skud on why You don’t need to change all your passwords.You can take this one very seriously - Bruce Schneier, pretty much the top person regarding computer security, says '"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.' - https://www.schneier.com/blog/archives/2014/04/heartbleed.html
ETA: A "big sites" hitlist of who you *should* change your passwords with: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
(no subject)
Date: 2014-04-10 05:57 (UTC)Some usual suspects are doing /0 scans over the whole IPv4 space, but those are still ongoing AFAIK.
(no subject)
Date: 2014-04-10 08:54 (UTC)(no subject)
Date: 2014-04-10 14:32 (UTC)And I guesstimate we'll feel the heartbleeding love for the next couple years in the usual long tail.
(no subject)
Date: 2014-04-11 04:20 (UTC)(no subject)
Date: 2014-04-11 19:54 (UTC)A large-ish gov IT-supplier has seen a couple hundred attempts just today, only a handful of which are from said research/consulting companies.
And even my whimpy detector (based on http://www.securityfocus.com/archive/1/531779 ), which just has a /25+/26 routed to it has been seeing ~300 hits since yesterday - sources so distributed through the world that it's very likely to be botnet-based.
I conclude that this is already in mass use. I'm just waiting for the folks setting up proper honeypots to speak up as to usable numbers.