Heartbleed - Public Service Announcement

| | Comments (1)

Working in a state office away from my team, and not following any news sites closely, I was out of the loop about Heartbleed until today.  Then I read about it.  And got scared.

xkcd summed it up - "Heartbleed must be the worst web security lapse ever.  .. Worst so far. Give us time."

Basically it's a vulnerability in SSL (used on https websites) which makes them essentially completely open to the web.  Any data you transmit to an affected site is NOT secure.  Anyone can read it.  And not only that, but if the affected server doesn't replace their SSL certificates/keys, they continue to be vulnerable, because the keys are out there.  And they never ever should be.  Yeah, really really messy.

Initial reports indicated that two thirds of SSL sites on the internet could be affected, but it seems to be smaller than that.  Big sites confirmed to be affected included Yahoo, Flickr, Imgur, ok cupid.  From what I've seen so far, local banking sites, ebay and paypal aren't currently affected, buy they may have been in the past, or even yesterday.  I haven't seen many .au sites come up, although I did see vic.gov.au come up.

General advice is: change all your passwords on affected sites that you've accessed recently (the vulnerability is two years old, but there doesn't seem to be any evidence that it was in the wild until the past couple of days.. although having said that, it doesn't show up in logs so it's possible people have been collecting stuff very quietly).  And then change them again after the certificate has been fixed.  

There's a couple of test sites around - eg http://filippo.io/Heartbleed/ and https://www.ssllabs.com/ssltest/index.html

Fortunately none of our public facing websites at work are affected, so that's a relief!

1 Comments

Aquila said:

Feels good to know that the vulnerability does not exist in Domino ;-)

Just upgraded my NAS to remove the vulnerability from its OS.

April 14, 2014 10:11 PM

   

Leave a comment

Kazza's "Boring Life Of a Geek" aka BLOG

IT geek, originally from Sydney, moved to Canberra in 2007. Married to "the sweetie", aka Stu. Prolific photographer, Lego junkie and tropical fish keeper.

Kazza the Blank One home