Hi,

Just wanted to ask about this, as I recieved an email from Norton today stating that 'If you visited a website that uses a vulnerable version of OpenSSL during the last two years, your personal information may be compromised'.

I understand computing a fair bit, and I'm worried that this is incorrect, in that you dont need to have actually visited the site for your information to have been 'leaked'.

If its a memory leak type of vunrability, then surely the memory leaked could have any type of info in it, whether you have visitied the site or not.

Take the hypothetical example:

Some auth program that uses openSSL and had the heartbleed vunrability in it.

If that code when asked to check a password basically just went through a password file to match the username against each line, then technically the leaked memory could hold the passwords from users higher up in the file that were just read, before it found your record. Or maybe some other kind of situation.

If its leaked memory, then depending on how the affected program is working, then the leaked memory could be anything, depending on how that program did things.

So, your decision to reset your password should not be based on if you visited the site or not?

Could someone just confirm if this could be true?

Thanks,

Rob D.