So, from what I've read this is pretty serious. I've changed quite a few passwords already and still have a few left. Anyone else changing everything just to be sure?
Waiting for some sites to apply the fix first, as changing beforehand is just means if you are being safe, changing them again.... So yes but only as sites update. Just in case Good list here http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ & here https://github.com/musalbas/heartbl...426311f0d20539e696496ed3d7bdd2a94/top1000.txt
I think this whole scare is a overblown a bit. What it did was if someone knew the bug, and abused it, then your server might have leaked random parts of the memory. Which might have contained user cookies, hashes, keys. Now, that sounds kinda serious. Except : 1) someone would have to know that that string of e78$csui123 is actually a password, or that other string is actually the SSL key. 2) you would have to be unlucky for the hacker to get exactly your data. 3) you would have to be unlucky for the hacker to actually be able to identify that that specific password belongs to that specific user, or that string is the SSL key. And even if someone applied the fix, that doesn't mean they changed the SSL key and regenerated the SSL certs - ok, you can check if they got new certs after 7th April, but you can't be sure the keys were exchanged too. So while you could have been affected, if that happened then someone would have already abused your account information. If it didn't happen until now, it is unlikely to be used later. So you can change password for peace of your mind, but that is pretty much the extent of it.
^ Quite. A lot of this is corporate ass-covering. I patched anything in my control early last week as it has been on netsec mailing lists since around then.
You can test websites you use for their level of security. https://www.ssllabs.com/ssltest/index.html
Unfortunately you're wrong. Private keys are 'relatively' easy to spot if you find the memory they live in. It's not a matter of having to guess which memory bits are the key. Sure you need the skills to do it but it can and WILL be done. This is a genuine issue. The biggest and most far reaching we've seen since we all became internet connected people. Don't take it lightly guys. Here's the REAL risk straight from the source:
If you use chrome you can install this plugin to alert you: https://chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic
NSA Said to Exploit Heartbleed Bug for Intelligence for Years. http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Sometimes I question the value of the internet and just how it may be changing the way I think about the world, the first thing I thought about when I read of the Heartbleed bug was if the NSA/GCHQ knew about it and had used it themselves and now it seems they have been doing this for years, becoming so cynical of the world is depressing and makes me wonder if "Ignorance is bliss" was a better way to live
If they'd been using it for years they'd be a lot more successful than they are. They'll be using it now though.
We wouldn't necessarily know about it or see evidence of their successes. By definition, a lot of successful attempts to spy, hack or farm information are invisible. Invisible successes are a real problem when trying to size up something like this. If, for instance, an enterprising hacker had found this exploit months ago and used it effectively, s/he would - we hope - have used it immediately, defrauding millions ($) from millions (of people). But if s/he was smarter than that, they might've just gradually, carefully siphoned off profit in countless small identity thefts, too small to raise the alarm on the nature of the original security hole. Which is what I'd have done, and I'm not even that smart or a hacker. Likewise for the NSA et al. If they had it and used it, there would be very little immediate evidence of it. If I were in their position I'd farm as much security information and passwords as possible early on and just keep them, to be discreetly used as and when it's most instrumental. That's the scary thing about digital security breaches - when they're done right, they're active and not discovered for years. Sleep tight
