I think this may be the wrong forum for this, but it didn't fit anywhere else and I was interested to hear what tech-savvy people think about this:

http://bits.blogs.nytimes.com/2014/0...e-internet/?hp

If there really is a major flaw in the encryption used by many sites, wouldn't it make sense to wait at least a few days to change all your passwords to give the sites a chance to upgrade their software?

I'm not an expert on this, just an initial thought.

Also, it won't let me edit the thread title, but if there isn't an existing thread on this then a mod should probably change it to something more descriptive.

Man, that's f'd up...

According to the article, some sites have already dealt with the flaw... So it's ok to change your password on those sites.

But otherwise, yes it would be advisable to wait a couple of days before changing passwords.

However, if you do not intend to change the password immediately you probably shouldn't log in to or use those sites until you are able to safely change the password.

This is huge news

Gaaaaabe

Come in here and explain what's going on in deoth but not SSL layer level depth the one before that and leading up to it

I told the fiancee to not do any fiancially related computing today. Is that enough time for the patch to get around?

Just spotted this thread before making my own on the subject - very surprised there hasn't been more replies in about 10 hours!

Upon seeing the alarm on the UK media, I logged onto 2p2 expecting to see stickies in the major forums and PSA's from major poker sites but it looks like there has been neither. Please contribute to either my thread or this one if you know about this sort of thing!

Is there another thread on this somewhere?

If so, does anyone have the link?

http://forumserver.twoplustwo.com/29...enssl-1432971/

To sum it up;

There's a 2:1 chance that the little padlock that secures your data when you go to a https website meant jack **** for the last 2 years.

Some websites are still susceptible to this - check the website here https://www.ssllabs.com/ssltest/ if it passes, change the password. If it fails, don't go near the website until they fix it.

Depends - personally I can see some websites taking a couple of weeks to fix this.

The major sites, yes. Although at the time of writing this eBay was still susceptible.

Yes. This IS A VERY serious vulnerability, especially for things like ecommerce., or online poker .....



thiS affectS SSL/TLS encrypted connections, which are usually https connections. https connections to websites are encrypted via SSL or TLS to secure the data and prevent attackers from being Abel to read it in plain text. For sites that used the vulnerable version of OpenSSL\, users' connections were not actually secure, and were vulnerable to exploitation. ANY site that uses the affected version of 0penSSL and has heartbeat enabled that doesn't update there systems, any users that connect will not truly have a secure SSL/TLS connection, and is vulnerable to exploitation. It also affects applications liek Tor or poker clients which rely on SSL or TLS to secure the network conections.

I str0ngly urge ppl to not do anything financial on the internet for the nexxt week, minimum, to give providers time to fix the problem. Additionally.,any site you use that uses https, check to see if their servers are vulnerable before using the site with an online scanner such as this one, whIcH was previously posted,
http://filippo.io/Heartbleed/


oR this 1.
http://rehmann.co/projects/heartbeat/



thE steps providers and users need to take r this::


- provider update OpenSSL
- provider get new public/private key pair
- provider update SSL certificate
- provider & users change all passwords

Here is a list of 10k sites that were tested on April 8th:
https://github.com/musalbas/heartble...323.1387563049

To those saying to wait for a patch before changing your password or logging in again: that may not be good enough. Due to this bug it is possible that hackers may be able to steal the private key used to perform the website authentication. Not only do the websites have to patch their services, they also have to renew their keys and update their certificate.

Well this was a good summary and I get it all know

Now wtf is OpenSSL and how does that relate to this in your words?

http://en.wikipedia.org/wiki/Openssl

http://en.wikipedia.org/wiki/Transport_Layer_Security


microsoft has there own implementations of SSL/TSL, and in contrast to OpenSSL they are closed source. We know about this flaw in OpenSSL because it is open source, meaning the source code is open for anyone to view.,. and security researchers from the community were able to find the flaw. Microsoft's software is cl0sed source so you just have to trust them to ensure security without any community assurance. What this means is that there may be similiar vulnerabilities in Microsoft servers that no one knows about.

so i remember from back when gmail started to offer https that the primary concern was if i was transmitting data on an unsecured wifi or something, and someone used that to intercept my data, i'd want to use https so they wouldn't be able to read it. does that seem vaguely right? so now, let's say i'm someone that uses a wired router - where is my security risk by not using https? that someone at the cable company will see my data or something? in other words, how are people using this vulnerability actually able to get my password?

Heartbleed test extension for Chrome (Chromebleed).

http://www.slashgear.com/heartbleed-...-bay-09324466/

If you are not using https (under normal circumstances) then anyone anywhere on the Internet can read what you are doing as the information is transmitted in clear text.

They don't have to be on the same network as you and it doesn't matter if you are on wifi or are wired.

The main concern about using unsecured wifi is that it is a lot easier to listen in on clear text transmissions than if I were in some basement half way round the world trying to listen in on what you were doing.

The simplest description is that it is a type of web server. It is open source and therefore free to use, hence it is very popular (around 2/3rds of web sites are vulnerable to this problem).

So any website that is running on OpenSSL is vulnerable to this information disclosure.

Very good. I follow.

...

What's SSL and why is it important to know?

omg it's this thing?

https://en.wikipedia.org/wiki/Transport_Layer_Security

Ok got it!

so, if you were in some basement trying to listen in to my interaction with an http site, how are you going to intercept what i'm doing in order to read it?

Simple answer, he's the Clairvoyant.

I had fun using the link in this thread to check various websites.

For almost any website that you visit, your traffic passes through about 20 different routers (run tracert www.google.com to see what I mean) - it is possible to listen in on any of the traffic that passes through those routers, or I can listen to traffic that enters and leaves the website itself.

It really isn't that hard to do... There are lots of free tools on the web, all designed for legitimate purposes, that can be used to do this. There are also tons of legitimate courses and information on the web on how to do this.

It is hard (but not impossible) for me to specifically target you doing this, whereas if we are on the same wifi I can specifically target you with ease.

I was about to correct you and say it probably only effected SSL traffic over a public wifi where someone could sniff your traffic, but apparently anyone can issue a "heartbeat" command and get an effected server to reply with the last 64k of stored memory in unencrypted plaintext, which would include all of the most recent login attempts etc. So it's a safe bet hackers have been doing this to all of the major websites up until they were patched, if they were vulnerable, and parsing the returned memory for account and banking info. Also some more complex stuff like getting the private keys from that block of memory that enable someone to decrypt all SSL traffic, but again, that's probably useless unless the attacker has already compromised someone's connection to the server or the server itself, and you really only need to worry about someone locally decrypting your wireless traffic.

Glad I bothered to look this up. Figure out if the website you're connected to is effected or has been patched, then change your password.

You are mostly wrong about the first line though, unless someone has control over the server you're connecting to, or a server inbetween they won't be able to just grab your traffic. You'd either have someone that knows your IP address already hacked in to your computer with a piece of malware like a keylogger or some other program, or they'd have to be sniffing your wireless traffic.

^ that was my understanding. how does someone read data passing through a server they don't own? i especially don't know how freely available software anyone owns could do this. but i admit i could be mistaken. though admittedly this point is somewhat separate from the heartbleed vulnerability, but my question was spawned from before i knew what heartbleed did and now i'm just curious.

It is my understanding that this issue has been around for a couple of years. So anyone can look at the code and 2/3 of websites use it, yet it took years for it to come out in the open.

Really?