At least, Google has patched the following:
Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google being Google is allowed to issue itself SSL certificates. I believe they used to rely on Thawte.
http://betanews.com/2014/04/09/google-stops-the-hemorrhaging-patches-openssl-heartbleed-bug/
Inquirer wrote:Well, I went to LastPass and entered Norton.com. And I don't like what I'm seeing.
LastPass:
The SSL certificate for norton.com valid 12 months ago at Apr 23 00:00:00 2013 GMT.This is before the heartbleed bug was published, it may need to be regenerated.
Hi Inquirer,
this is what http://filippo.io/Heartbleed/ says about norton.com:
Which one to trust?
Hi, Rainbow_2.
Good question. 
However, I'm afraid I don't have an answer. 
Inquirer wrote:Hi, Rainbow_2.
Good question.
... And neither do I ! 
Some info from Sophos.
More here too.
Rainbow_2 wrote:You can check any particular domain using this test. The test offered by LastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before."
My understanding is that there are two steps to the certfication process - an update of the OpenSSL software to the latest v. 1.0.1g (the critical bug fix - see the KrebsOnSecurity article here) and the re-issuing and testing of security certificates for the site (which takes some additional time). My best guess is that the HeartBleed test site checks the status of SSL (the secure sockets layer protocol) on the site, while the LastPass test site provides additional information on the status of the security certificates. An out-of-date security certificate does not necessarily mean that the server uses the OpenSSL encryption protocol or that OpenSSL, if used, has not been patched.
I just re-checked Norton.com on the HeartBleed test site and got the following. I'm not sure if the code for the test site has been changed to improve the detection of data leaks or if there is some other reason why Norton.com is now reported as vulnerable.
-----------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
lmacri wrote:
Rainbow_2 wrote:You can check any particular domain using this test. The test offered by LastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before."
My understanding is that there are two steps to the certfication process - an upgrade of the OpenSSL software to the latest v. 1.0.1g (the critical bug fix - see the KrebsOnSecurity article here) and the re-issuing and testing of security certificates for the site (which takes some additional time). My best guess is that the HeartBleed test site checks the status of SSL (the secure sockets layer protocol) on the site, while the LastPass test site provides additional information on the status of the security certificates. An out-of-date security certificate does not necessarily mean that the server uses the OpenSSL encryption protocol.
I just re-checked Norton.com on the HeartBleed test site and got the following. I'm not sure if the code for the test site has been changed to improve the detection of data leaks or if there is some other reason why Norton.com is now reported as vulnerable.
[…]
____________________________________________________________________________________________
Hi Imacri,
First of all, I'd like to clarify that what quoted above as well as in your post/Message #19 :
"You can check any particular domain using this test. The test offered by LastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before."
are not my own words,,, I was just quoting that part of the article I had linked to in my posts,and which gave the links to the websites where to check servers vulnerability.
Actually, the above quote is from PCMag.com article linked to here Heartbleed Fallout: Change All Your Passwords which I first posted in my post/Message #11.
That said, from what I read I think you are right about there being two steps to the certfication process but unfortunately my knowledge here is not as good as yours so I think I'd better not comment on this point.
Weird thing about norton.com... I checked it again at http://filippo.io/Heartbleed/ and I got exactly the same result as in my post/Message #22 ?
It would be interesting to know what others get.
" Re: Massive Security Bug In OpenSSL [ Edited ]
10-04-201403:43 PM - edited 10-04-2014 04:19 PM
Rainbow_2 wrote:You can check any particular domain using this test. The test offered by LastPass gives even more information. For example, a site that uses OpenSSL and regenerated its security certificates in the last two days may well have been vulnerable before."
My understanding is that there are two steps to the certfication process - an update of the OpenSSL software to the latest v. 1.0.1g (the critical bug fix - see the KrebsOnSecurity article here) and the re-issuing and testing of security certificates for the site (which takes some additional time). My best guess is that the HeartBleed test site checks the status of SSL (the secure sockets layer protocol) on the site, while the LastPass test site provides additional information on the status of the security certificates. An out-of-date security certificate does not necessarily mean that the server uses the OpenSSL encryption protocol or that OpenSSL, if used, has not been patched.
I just re-checked Norton.com on the HeartBleed test site and got the following. I'm not sure if the code for the test site has been changed to improve the detection of data leaks or if there is some other reason why Norton.com is now reported as vulnerable.
-----------"
Hi,
Can ANYONE comment please??
Thanks.
Regards,
ISC is reporting the beginning of incoming emails purporting to be from damaged accounts and with links to reset your password ... so note this WARNING
Brace Yourselves (and your Users / Clients) for Heartbleed SPAM
[ ... ]
<<Helpful emails with links in them are in most cases NOT helpful. Don't click that link!
If it's legitimate, and especially this week, by all means browse to the affected site and change your password. That's always a good idea. But following an email link to a password change page is a good way to get your credentials stolen, or a good way to pick up a nice "gift" of malware. >>
Hello,
I personally want to say congratulations to huwyngr for reporting this!!
Very useful info.
Bravo!!
Regards,
Guru Yank's post here:
gives this link: http://www.symantec.com/connect/blogs/heartbleed-openssl-take-action-now
QUOTING:
"For consumers:
Also interesting link given in comment (2) by Mick2009SYMANTEC EMPLOYEE
https://www-secure.symantec.com/connect/blogs/heartbleed-bug-poses-serious-threat-unpatched-servers
I can't vouch for the accuracy of the listings but I guess it's worth checking to see where you are:
http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/index.html?hpt=hp_t2
includes sites said to be OK because they use a different version of the security and those not yet certain.
Glad to see my Bank of America and Wells Fargo say they are OK ....
@Tony_Weiss @Tim_Lopez @Mohan_G
Any comment in simple, easy to understand terminology for us les tech savy users woudl certainly be appreciated.
To change all, some or none of our passwords?
How safe is ID safe Data - etc everyone (including me) seems confused and wondering.
Rainbow_2 wrote:Weird thing about norton.com... I checked it again at http://filippo.io/Heartbleed/ and I got exactly the same result as in my post/Message #22 ? It would be interesting to know what others get.
Hi Rainbow_2:
I tested Norton.com again at http://filippo.io/Heartbleed/ and now see the same "All Good" result that you reported yesterday in message # 22. I don't know enough about the inner workings of the test to know if the inconsistent results have something to do with the Norton.com site having multiple back-end servers.
The following comment is from the Heartbeat Test FAQ so it's also possible that the "Vulnerable" result I posted in message # 28 was a false positive.
"Update: still, I'm getting consistently reports of unaffected versions going red for one, maybe two time(s) maximum, if it happens repeatedly the site IS vulnerable."
If anyone sees an official statement by Symantec regarding the status of their own servers (especially those used to store encrypted Identity Safe login passwords) I'd appreciate if they could post a link in this thread.
-----------
MS Windows 32-bit Vista Home Premium SP2 * Firefox 28.0 * IE 9.0 * NIS 2013 v. 20.4.0.40
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400M GS
Thank you for that link. I found one I think is better.
First I found this from a Google search:
https://community.qualys.com/blogs/securitylabs/2014/04/08/ssl-labs-test-for-the-heartbleed-attack
which lead to the tester here:
https://www.ssllabs.com/ssltest/index.html
norton.com and symantec.com both get an F rating! But at least it says they aren't vulnerable to the Heartbleed attack.
But then community.norton.com got an A- rating (I don't understand, isn't norton.com the underlying domain?)
What do you think? Is this a valid tester?
TradeHound wrote:Thank you for that link. I found one I think is better.
First I found this from a Google search:
https://community.qualys.com/blogs/securitylabs/2014/04/08/ssl-labs-test-for-the-heartbleed-attack
which lead to the tester here:
https://www.ssllabs.com/ssltest/index.html
norton.com and symantec.com both get an F rating! But at least it says they aren't vulnerable to the Heartbleed attack.
But then community.norton.com got an A- rating (I don't understand, isn't norton.com the underlying domain?)
What do you think? Is this a valid tester?
Do you know that the source is valid and that you have not infected yourself by using this "tester"
Here's a more usefully formatted, and maybe more uptodate, list from a reputable source:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Just out of curiosity, I tried the tester at https://www.ssllabs.com/ssltest/index.html with norton.com. I took 30-40 seconds to report back on 3 servers with inconsistent results & an F grade on one. So on a whim I entered www.ssllabs.com and it came back in less than a second with a list of 5 servers, all ranked A+... Yeah, right.
