jfitzpatrick — 2014-04-09T16:30:13-04:00 — #1
Today we’re warning you about a much bigger security problem, the Heartbleed Bug, that has potentially compromised a staggering 2/3 of the secure websites on the internet. You need to change your passwords, and you need to do it now.
Originally published at: http://www.howtogeek.com/186735/htg-explains-what-the-heartbleed-bug-is-and-why-you-need-to-change-your-passwords-now/
straspey — 2014-04-09T17:48:44-04:00 — #2
Suggestion to Mods:
I'm not sure if it's possible here, but I would respectfully suggest this article be "pinned" so it appears at the top of the list for he next few weeks. The information in this article could prove invaluable to many people who might not visit HTG over the next few days - at which point it would be much farther down on the topic list.
Thanks for posting this.
chrisr — 2014-04-09T18:35:08-04:00 — #3
You say: "You need to change your passwords, and you need to do it now."
But: "Before you dive into immediately changing your passwords, be aware that the vulnerability is only patched if the company has upgraded to the new version of OpenSSL. The story broke on Monday, and if you rushed out to immediately change your passwords on every site, most of them would still have been running the vulnerable version of OpenSSL."
So which is it to be?
stickman803 — 2014-04-09T18:37:59-04:00 — #4
I already used 2-Factor Authentication for my Google account. Is that safe?
scott_vt — 2014-04-09T20:30:10-04:00 — #5
This topic is now pinned. It will appear at the top of its category until it is either unpinned by a moderator, or the Clear Pin button is pressed.
scott_vt — 2014-04-09T20:44:26-04:00 — #6
We'll pin this for a while and try to get clarification on Stickman's point.
readandshare — 2014-04-09T21:36:32-04:00 — #7
For those who use Lastpass... you can click "Tools" and Lastpass will test all your sites and recommend the ones that need to have the passwords changed. Much more convenient than manually testing on your own, site, by site.
straspey — 2014-04-09T21:40:03-04:00 — #8
Over at BetaNews, Brian Fagioli has posted an article reporting Google stops the hemorrhaging -- patches OpenSSL Heartbleed bug
Apparently they have plugged the leak; although I'm not sure if this directly addresses Stickman's issue.
andrewrobert7 — 2014-04-09T22:17:14-04:00 — #9
Scott_vt, you might want to extend the post time until HTG unpins it.
scott_vt — 2014-04-09T22:36:21-04:00 — #10
geek — 2014-04-09T23:17:12-04:00 — #11
FYI just in case anybody is wondering, How-To Geek is not vulnerable to this bug as we don't use SSL encryption in the first place. If you run howtogeek.com or discuss.howtogeek.com through the Heartbleed checker web site it will return an error... because we don't provide SSL at all.
I've updated the article to reflect this.
fierce134 — 2014-04-09T23:39:22-04:00 — #12
This is what I want to know too. Over at Lifehacker, they said the same thing in that everyone should hold on. But so many sites say to keep changing your passwords. It's annoying just sitting here knowing what I need to do, but not being sure if I should do it or not...
mark1 — 2014-04-09T23:51:24-04:00 — #13
Agreed. HTG is usually very helpful and informative but this is either bad writing or bad editing, or both.
First, you tell readers that action is urgent and "now." Next, you tell readers they should wait until a website has updated and patched their servers.
It's my understanding that users should wait until a website has applied the patch before changing credentials. At least this post provides a method for determining whether a website has been patched.
Probably should get the message right before worrying about whether it should be pinned and comment periods left open. Better luck next time.
yu0x3 — 2014-04-10T04:02:07-04:00 — #15
Please don't give people such tips. This password is hard to remember (exactly how did I scramble it?), a pain to type on mobile devices and isn't all THAT much more sure than writing "I love to read books" in plain text, as it either contains common standard leet transcriptions (easily guessed) or is even harder to remember. It is roughly the type of password that makes people put postits with their workplace-password on their monitors.
Xkcd has nicely treated the topic:
Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.
The best passwords are those that are long (in terms of entropy), yet relatively easy to remember, e.g. a sequence of four randomly selected English nouns. Most services undermine that concept by limiting the maximum length of passwords to between 12 and 20 characters (at 16 characters most 4-word combinations will be too long) and enforcing those "hard to remember" password policies ("at least one number and letter each").
 Comic: http://xkcd.com/936/ Some more discussion: http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
afuhnk — 2014-04-10T09:31:07-04:00 — #16
I checked mine yesterday and LastPass found 8 sites with vulnerability to this but only 2 that I should change NOW.
The 6 others said "Do not change yet" (or something like that).
So, yeah, not all sites have been patched, so not all of them should be changed right away.
gordon_radix — 2014-04-10T11:11:39-04:00 — #17
Interesting that I got different responses from the two check sites. Having tested six banking or money sites.
LastPASS checker show six sites as either RED vulnerable, or Yellow possible vulnerability, while
the heartbleed bug checker shows these same six, as Green / safe.
iszi — 2014-04-10T13:54:18-04:00 — #18
To address a couple of the questions I've seen in a quick skim of the topic:
When to change passwords:
Password changes in response to Heartbleed are only effective after the system owners have confirmed (and/or you've validated with one of the publicly available tools) that OpenSSL has been removed or updated to a non-vulnerable version. Ideally, the system owners should also be changing out their SSL certificates.
If you change your password before OpenSSL is fixed on a system, an attacker may be able to exploit the vulnerability and retrieve your new password. This can be done from anywhere, and does not require Man-in-the-Middle (MitM) positioning.
If you change your password before a new SSL certificate is applied to the system, it is possible that a MitM (or someone else on a shared network, e.g.: WiFi) may have the certificate (pulled during a prior attack) and be able to use it to decrypt your traffic - thereby exposing your new password.
@geek @jfitzpatrick: I strongly suggest you change the verbiage in the article to remove any suggestions that may be misconstrued as instructing users to change passwords immediately without first checking with system owners to see if the vulnerability has been mitigated.
(Ping: @Stickman803, @Scott_vt)
Two-Factor Authentication (2FA) on systems vulnerable to Heartbleed can help protect you, but not by much. The key thing to remember about Heartbleed is that it potentially exposes everything handled by the web server. So any data you transfer to/from a Heartbleed-vulnerable server can be captured by an attacker no matter how you log in. Again, this does not require MitM positioning and it is impossible for you as the end-user (and still difficult even for system owners) to know whether an attack is underway.
What 2FA can prevent is the possibility that the attacker might take your password and use it to gain access to your account on that site by themselves. The attacker can still obtain your password, but will not have access to the security token or code that is also required for access when they try to log in. (They'll be able to capture the code that you use for your login, but it will be invalid when they try theirs.) That said, if you reuse the same username/password combination on other sites that do not support 2FA, those other accounts may be vulnerable.
Also be very careful as to what you consider to be 2FA. A site that requests username/password, then prompts you with a security question, is not providing 2FA. Security questions are just as vulnerable to capture by Heartbleed as passwords or any other data.
Sites that don't use SSL:
Sites that don't use SSL are not vulnerable to the Heartbleed attack. However, lack of SSL in the first place does present potential security risks. These risks usually require MitM or a shared network medium (e.g.: WiFi) to exploit. If you feel your credentials and/or information is at risk because a site does not use SSL, contact the site owner for more information.
Additional Information Sources
There's some good write-ups by Troy Hunt and Brian Krebs on the Heartbleed vulnerability, and StackExchange has been afire the past few days with questions about it.
Krebs On Security - ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
Krebs On Security - Heartbleed Bug: What Can You Do?
TroyHunt.com - Everything you need to know about the Heartbleed SSL bug
Information Security StackExchange - Questions Tagged "Heartbleed"
raphoenix — 2014-04-10T17:03:06-04:00 — #22
scott_vt — 2014-04-10T18:53:11-04:00 — #23
fredlit — 2014-04-10T19:13:58-04:00 — #24
Very good explanation. I was about to give up on this thread as I expected
and discussion of the details of the vulnerability. Thank you for this. I just
wish is was in text form.
next page →