http://arstechnica.com/security/201...opens-two-thirds-of-the-web-to-eavesdropping/ The above is just a snippet... but all I can say is DAYUM!
Some links for Testing SSL sites for the vulnerability. (Make sure whatever site you intend to update a password is "safe" before changing it) http://filippo.io/Heartbleed/ http://rehmann.co/projects/heartbeat/ http://possible.lv/tools/hb/ https://www.ssllabs.com/ssltest/
More information: (In regards to Server Administrators etc sent from CAcert.org) What to do? =========== Ensure that you upgrade your system to a fixed OpenSSL version (1.0.1g or above). Only then create new keys for your certificates. Revoke all certificates, which may be affected. Check what services you have used that may have been affected within the last two years. Wait until you think that those environments got fixed. Then (and only then) change your credentials for those services. If you do it too early, i.e. before the sites got fixed, your data may be leaked again. So be careful when you do this.
"Check what services you have used that may have been affected within the last two years." How is that done.???
In response, Revenue Canada has closed it's on-line Income Tax service until at least the weekend while they check their system.
A great list Stryder... News came over "the wire" so to speak about 12 hours ago for me, and they were playing it down big time... I would add to your list one extra. Be prepared for future breaches, perform regular audits. and possibly change credentials 2 weeks or less after the first set are changed, then every 3 months sort of schedule. [if possible] Summary of proposal: So do as Stryder suggested Then wait 2 weeks and do it again... then do it every 3 months or so... IMO If the hacks are smart enough to find this weakness they are smart enough to know what the likely reaction will be...so work on the basis that they know what you are going to do as a first reaction to the threat. Gosh! the shi*t's going to hit the fan on this one... IMO
Another good layman's explainer can be found at: http://krebsonsecurity.com/2014/04/heartbleed-bug-what-can-you-do/ snip: Looks like IT security over drive! Stryder, have you seen this video? http://vimeo.com/91425662 [video=vimeo;91425662]http://vimeo.com/91425662[/video]
Heres a list (in progress) of which sites you need to change you'r password::: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ I had alredy called Fidelity.com an 2 credit card websites an my bank an they said they wasnt affected by heartbleed so no need to change password because of heartbleed... but the website link above said to change password at Yahoo... an Google talked like it wasnt necessary to change PW.!!! Mayb most websites got fixed or will get fixed an "disaster" will be averted.!!!
I talked with an Australian major bank customer services about 3 hours ago and they barely knew of the issue...I gather most banks are confident their various levels of account security should prevent any significant loss. The line is: The banks generally do not use this software but the data mined from other places may make their customer accounts insecure. However it may be the loss of confidence of the net user across the board that is the real problem.[worth big bucks] IMO It appears the "powers that be" are concerned about consumer confidence probably more than the actual threat to data. Face books huge user list apparently has been wide open for over 3 years... so you can imagine there is a whole heap of worrying going on right now...
Coincidence only perhaps... speaking about the Major bank I mentioned in the previous post: Full article at: http://www.abc.net.au/news/2014-04-15/commonwealth-bank-customers-hit-by-electronic-banking-outage/5391366?WT.mc_id=newsmail In 5 years of net banking this is the first time... that I am aware of for this bank.