Quote:
Originally Posted by Rambler1
If there really is a major flaw in the encryption used by many sites, wouldn't it make sense to wait at least a few days to change all your passwords to give the sites a chance to upgrade their software?
Yes. This IS A VERY serious vulnerability, especially for things like ecommerce., or online poker .....
thiS affectS SSL/TLS encrypted connections, which are usually https connections. https connections to websites are encrypted via SSL or TLS to secure the data and prevent attackers from being Abel to read it in plain text. For sites that used the vulnerable version of OpenSSL\, users' connections were not actually secure, and were vulnerable to exploitation. ANY site that uses the affected version of 0penSSL and has heartbeat enabled that doesn't update there systems, any users that connect will not truly have a secure SSL/TLS connection, and is vulnerable to exploitation. It also affects applications liek Tor or poker clients which rely on SSL or TLS to secure the network conections.
I str0ngly urge ppl to not do anything financial on the internet for the nexxt week, minimum, to give providers time to fix the problem. Additionally.,any site you use that uses https, check to see if their servers are vulnerable before using the site with an online scanner such as this one, whIcH was previously posted,
http://filippo.io/Heartbleed/
oR this 1.
http://rehmann.co/projects/heartbeat/
thE steps providers and users need to take r this::
- provider update OpenSSL
- provider get new public/private key pair
- provider update SSL certificate
- provider & users change all passwords