OpenSSL and the Heartbleed issue

[Corrine]

There is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password.

See The Heartbleed Bug, explained - Vox

 

[Corrine]

Just found this. Check sites here: LastPass - LastPass Heartbleed checker.

Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed

 

[Patrick]

I've been using LastPass Premium for over 2 years, so I just changed any affected sites with their password tool.

 

[jcgriff2]

What I don't understand is that the article says the bug opens up system RAM to possible threats of being read.

Is the vulnerability ongoing - even when logged off the SSL site?

Regardless, it would take a long time to upload 4,8,12+ GB RAM.

 

[Corrine]

Aaron posted his understanding of the issue at LzD which you might find helpful: OpenSSL and the Heartbleed issue.

My understanding is that if logged into a service while it was vulnerable, then there is a chance that the password has been harvested.

Here's what Bruce Schneier explained in Schneier on Security: Heartbleed:

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

 

[x BlueRobot]

This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691

 

[niemiro]

This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691

That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website.

 

[x BlueRobot]

This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691

That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website.

The best method is to use the LastPass Checker, or contact the site staff for a particular website.

 

[x BlueRobot]

A list of the major companies affected as has been listed here, with their comments including if you should change your password and if a patch has been released.

The Heartbleed Hit List: The Passwords You Need to Change Right Now

 

[jcgriff2]

I don't believe that none of the major banks were hit.

 

[x BlueRobot]

Microsoft and Apple weren't affected either.

 

[Corrine]

I don't believe that none of the major banks were hit.

That's because they apparently don't use OpenSSL.