What do we Internet users need to know about the Heartbleed Bug, and how should we react?

I run a few servers. Libssl has been upgraded and recompiled apache against the new version. Changed out SSL certs too. Users have been reminded to change passwords.

As a end user I have changed e-mail passwords and passwords for anything that could cause my credit card damage. Not a whole lot else a end user can do.

And I should add that this is just about the worst possible thing from a security standpoint that could possibly happen.

I found this list of tested web sites.

@johnpowell Thank you. Your last sentence is chilling in its simple language with far reaching implications.

It doesn’t look like any of the sites I use are vulnerable according to @johnpowell‘s list. Banking sites appear generally not to be vulnerable, so that’s a relief – same for the couple of sites I’ve given credit card info to, like Amazon (first one I checked). Thanks for the warning, though.

Quick question: since eBay is free from vulnerability, does this also include Paypal (since eBay purchased Paypal quite a while ago.)?

Just tested paypal and it appears fine. That tool is a bit hit and miss but seems right more than wrong.

Keep in mind this bug is over two years old. It has most likely been exploited well before it was cuaght. I can’t stress this enough. Change your passwords right now and at least change them again every week for at least a few weeks.

Dumb question maybe, but what’s the use of changing your password if the new one is equally vulnerable to being downloaded and de-crypted? Surely the crooks will simply read your new password as easily as they read the old one?

Also, can someone who knows how to test this, test www.secondlife.com for me? Please?

Actually, following @downtide‘s question… are the sites described as “not vulnerable” on that list not vulnerable because they had the bug and fixed it? Or were they never vulnerable? I guess that would affect whether I choose to change passwords or not.

@dappled_leaves I don’t think it is possible to tell.

Also, if it is of any consolation, Fluther doesn’t use HTTPS anyways.

@downtide That is why I suggested changing it again at a later date. I’m assuming a lot of people are busy patching this bug right now. Not totally foolproof but it is kinda all we have now.

That vulnerability list johnpowell referred to now contains 1,064 sites. Just about every site with any notable traffic is on the list and all the top shopping sites are there.

@dappled_leaves In the reading I’ve been doing today, I’ve discovered that not all sites on the Internet use OpenSSL that has this terrible vulnerability. Some sites use other security software from other sources and are not vulnerable.

@downtide Not all sites will change their vulnerability status quickly. Change them now, and then change later.

I’m still unclear on if you even need to use SSL to get hit by this. OpenSSL is on pretty much on every server install. A basic blog probably doesn’t have a CA cert, but most likely have OpenSSL installed.

@johnpowell From what little I’ve read, it sounds like it doesn’t matter whether we personally use OpenSSL, it matters whether the sites we have accounts with do. As @Hawaii_Jake said, those sites that have never used OpenSSL sound like they’re perfectly safe. But I do still wonder about the ones that use OpenSSL and now count themselves as “not vulnerable”. Were they vulnerable before, and should we know about that?

I’m looking forward to reading more about this will be forthcoming in the next few days.

Edit: And now that I read your post again, I see that you’re talking about this from the point of view of a developer. It’s a good question.

Openssl ships on all Macs. It is actually what I use to generate passwords.

johns-Mac-Pro:~ johnpowell$ openssl rand -hex 16
9164fa97e0d1f17487c8557db2e08362
johns-Mac-Pro:~ johnpowell$

Luckily I use a different password on every site. The weakest password is actually the one I use to log into my computer sitting on my desk.

It looks like the following popular operating systems shipped with the vulnerability, according to the heartbleed.com website.

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1–4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

(Fluther uses Ubuntu 10.04 LTS, which predates the bug).

Ubuntu 12.04.4 LTS is super common. All my servers run it. Fixing the problem only took about 10 minutes per server. But it could be a total mess if you are someone like Yahoo that has tens of thousands of servers to patch.

I will just add this. It simplifies what is happening but does a pretty good job of explaining it.

http://xkcd.com/1354/

@johnpowell many bees in car why.

Heartbleed bug could have been detected long ago
NSA apparently aware of Heartbeed Bug for two years
Go through this article to get

http://www.fluther.com/170692/what-do-we-internet-users-need-to-know-about-the-heartbleed/

I spent part of the weekend changing my passwords for everything… so tedious but I’m glad it’s done.