This is very disturbing.
Feeling insecure yet? How's about that "cloud" storage?
Say Hi to NSA while you're at it...
This is very disturbing.
Feeling insecure yet? How's about that "cloud" storage?
Say Hi to NSA while you're at it...
Another source...
http://securitywatch.pcmag.com/hacking/322453-ssl-bug-threatens-secure-communications
I read about the vulnerability after I changed my password to my Norton account. I stumped the stars in Norton Chat support with a question - Are Norton servers affected? Do I need to worry. So the question remains, Does Norton use OpenSSL and if they do, have they applied the patch. Given the widespread coverage in the press, a note on the homepage might be appropriate.
Hi, dwlmgold.
Hence my "hope" in my initial reply. Symantec now owns VeriSign's certification authority (CA) side of the business, and a big part of that side of the business is issuing digital certificates for SSL.
Oops! Left out the important part I wanted to say earlier. Here it is. Last I checked, Norton Account's SSL certificate was issued by who else, but VeriSign!
Hi Inquirer,
Just wanted to add that if anyone combines your 2 latest posts understands exactly what is happening....
No further comment....
Best regards,
This is very disturbing.
Feeling insecure yet? How's about that "cloud" storage?
Say Hi to NSA while you're at it...
Hi killyourtv:
Thanks for posting about this. I just heard that Revenue Canada announced a shutdown of their web site today, preventing online filing of tax returns:
Ok chalk me up as stupid, but what does it all mean in practical terms?
Rainbow_2 wrote:Another source...
http://securitywatch.pcmag.com/hacking/322453-ssl-bug-threatens-secure-communications
An update...
Not stupid, Calls. I’ve been trying to wrap my head around it, too.
Anyone know how at risk older passwords/accounts are? I understand the vulnerability has been in the code for a couple of years, but are all password at risk or just those that have been used recently? (Thinking about my poor, neglected Tumblr account that I haven’t used in 8 months, for example)
Rainbow_2 wrote:
Rainbow_2 wrote:Another source...
http://securitywatch.pcmag.com/hacking/322453-ssl-bug-threatens-secure-communications
An update...
Heartbleed Fallout: Change All Your Passwords
From bbc.com/news/technology re changing passwords:
Heartbleed Bug: Public urged to reset all passwords
I’m more concerned with bank logins
Read something that said even if you change password, you are still at the mercy if the site as to if they fix the leak
Good God
All of this is such a mess. And by this I mean the internet
Not enough that you keep your own PC secure. Now you have to worry about companies falling down in the job ( target) and other lax security
And then banks have the nerve to promote sending a check image for deposit over your smart phone
Hi Calls,
Yes. As far as I understand, changing your password is pointless if the site (s) in question haven’t applied the patch.
Cnet has a new article with a link to a site that can test servers for heartbleed vunerability.
Also these links I gave above contain links to websites where to test servers vulnerability:
Heartbleed Fallout: Change All Your Passwords (post/Message #11)
"Who's Vulnerable?
It's true that not all of your secure sites are vulnerable, though experts estimate that as many as two-thirds of all servers may have the bug. You can check any particular domain using this test. The test offered byLastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before."
Heartbleed Bug: Public urged to reset all passwords (post/Message #13)
"Several securityfirms andindependent developershave published online tests to help the public discover if the services are still exposed."
Rainbow_2 wrote:You can check any particular domain using this test. The test offered by LastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before."
I tried the Heartbleed Test site suggested by Rainbow_2 at http://filippo.io/Heartbleed/ and here's an example of the result I see when I enter the URL for the login page for my online brokerage at TD Waterhouse.
Now that I've confirmed that the website is fixed (or was never affected), it should be safe for me change my login password and continue using the site.
As roane mentioned in message # 16, it's pointless changing your password on a "secure" https:// website until you've confirmed that the OpenSSL patch has been applied on the server.
EDIT:
TD Waterhouse just posted the following message on their WebBroker login page that confirms that their site is safe to use. I hope other https:// sites will be posting similar instructions for their customers in the coming days.
-----------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
Well, I went to LastPass and entered Norton.com. And I don't like what I'm seeing.
LastPass:
The SSL certificate for norton.com valid 12 months ago at Apr 23 00:00:00 2013 GMT.This is before the heartbleed bug was published, it may need to be regenerated.