Topic: WTF??? Heartbleed & lastpass & gmail (Read 1306 times)

Worst than that. The site not only needs to upgrade their software, but also replace their private key and and get a new certificate issued. Many sites are never going to do this (or they will just get a new certificate without creating a new private key, which does not close the hole).

Don't expect anything on the internet to be secure any time soon, if ever. Be careful, especially with coins.

some useful info to be had here and I thank you all for putting your finding here so folks can try and keep up with their security.  Sub'd

There have been numerous articles on this, but causing more confusion. Many give you a link to see if a site is safe or not, but there are several links and they give conflicting results. Also, they say don't change your password until you know the site has been fixed, but no site I've logged onto has said anything.

If you consider that the NSA know about this bug for over than 2 years and they kept it a secret so they can exploit it, but at the same time they kept people exposed to the danger

I'd guess the biggest take-away here is that, again, you absolutely cannot be reusing passwords and shouldn't even be reusing email addresses or usernames (though I'll admit to usually doing the latter). Judging their "security competence" is relevant, but not everything, because, as this vulnerability points out pretty clearly, you need to trust many more entities than just the pen-testers and devs at one particular website -- it's simply impossible for your data to really be secure if you've shared it no matter who's storing it. Even storing everything on an online computer with just a password to unlock is risky.

[OT rambling on something I know nothing about]
We're at a point, now, where I think there's really a market for semi-offline computers (not a full-blown giant box, but something which can fit in something like a HDD bay of a PC case and connect via SATA and maybe it could also just be a module inside a CPU with dedicated pins to interact with just one dedicated USB port) which seamlessly interacts with your online computers to provide needed credentials but which don't "wake up" to provide that information unless you physically provide some kind of biometric data or other data unique in physical space like a Yubikey. So, say you want to log in to a website. You click the "login" button which immediately tells your PC's software to start trying pull attempts on your credentials. All pull and push requests in queue are displayed in a dialog box, and you could get super-secure by having an additional button on the Yubikey-like to lock in all requests first. You'd then activate your Yubikey-similar which wakes up the semi-offline PC and provides a password to confirm the wake command is legitimate (it's never stored on the online PC and the online PC has no means of decrypting it). The PC then receives and processes all pull requests in queue and then immediately goes back to sleep, so you're logged into whatever you're queued for without needing to type any information in. The same process works for saving credentials, where your PC's software has a queue of data (credentials to store) to push to the semi-offline PC; you press your Yubikey and then that data is allowed to pass from your PC to the semi-offline PC. You encrypt all this so there are two sets of keys (online can decrypt credential retrievals and encrypt credential saves, semi-offline can encrypt credential retrievals and decrypt credential saves). Setup would take a couple minutes... maybe you have a switch on the Yubikey with three positions (offline pair, online pair, use), where you pop the Yubikey into the semi-offline and hit a button (wait for a LED to blink to confirm it's ready), then insert it into the online computer, hit a button to pair - repeat the process backwards for the online pairing, then leave the Yubikey in the online computer in the "use" switch for normal use. You can keep a spare Yubikey or two with the same seeds in safe places which maybe require some type of manufacturer-set password to activate.

In all of this, the only way you can use it is with an original or identical Yubikey-like physically connected to the online PC which is paired with the physically-connected semi-offlince PC. Once in the "use" position, you could also do things like require the Yubikey-like be given a password and use (probably biometric) 2FA. I'd guess you can get the added cost of all this down to around $40 in mass production. You basically just have a small, enclosed rpi, Yubikey, and specialized but fairly simple software. I think the simplicity of pressing buttons exceeds the complexity of learning how/when to press buttons and to do the initial pairing.

I'd guess this is mostly on OS devs and major PC assemblers, because everything else is going to feel kludgey/clunky -- it should be something more "default," I think. As far as hardware, then, the only thing "sticking out" is the Yubikey-like device, which many of us already have one or a few of. -Or something like that. I'm sure someone can think of a smarter solution.

Damn, the list helpful, thanks!

double identification guys

That mashable shows on the right side box, if they fix/patched it.

its worse than that, changing ur password wont help if the site does not update their software

It affects everything that uses OpenSSL. All services on android that uses OpenSSL is/was affected.

Does this affect mobiles and android also?

Here's one

Open source developers never caught this or created it them selves > sold to NSA. Developers = Profit?

DOes anyone have a list of who has patched their websites/servers? Cuz if they are not patch/fixed it's pointless to even change PW's.

Some moar info be awesome.

Edit:
It just eats my brain this went undetected for years   

Just go and change all your passwords in the world It is simple

hmm most websites and other services will deny that they were effected but I'll suggest you to change your pass better safe than sorry

Thanks for the warning,i heard something about it on TV,but i didn't pay attention to it.Is time to change all my passwords.

quite simple explanation.

Its a Bug that has affected many popular websites and services like : gmail, fb, and some other using OPEN SSL/TLS The bug is there from 2011 and very Highly Vulnerable
 Click the Mashable link shared above for more info..! its fine.. !

it's a bug in the system that allows users to steal data

http://heartbleed.com/


related current article in wired http://www.wired.com/2014/04/nsa-exploited-heartbleed-two-years/