Heartbleed

Post by **I'm Murrin** » Fri Apr 11, 2014 11:54 am

Web security folks recently discovered a major vulnerability in OpenSSL, a security system used by a majority of websites. This vulnerability, named Heartbleed, made it possible for a user to send requests to the site and receive back secure information - that could include security keys, passwords, and pretty much anything in there. A patch for OpenSSL has been issued, and major websites that had the vulnerability have started upgrading to fix the issue.

[FYI, we know for certain that Yahoo, along with subsidiaries Tumblr and Flickr, were still vulnerable to the Heartbleed exploit when it was publicly announced. Facebook services were vulnerable but have been patched.]

It is not clear whether this flaw was exploited prior to its discovery, but it almost certainly is being exploited now that it's publicly known.

The main thing to take away is this:

Assume that your data on any affected site was not secure. If you have accounts on affected websites, check that they have upgraded their software to fix the issue, and only then should you reset your password.

If the password you used on a vulnerable site was the same as one you used elsewhere, change all of those passwords.

Keeping your passwords unique is recommended, and once again, make sure that sites are not vulnerable to the Heartbleed before changing your password, or else you'll just have to do it all over again.

I do not know if the servers hosting Kevin's Watch use OpenSSL - perhaps Vain can enlighten us on this - but I'd encourage caution.

For more information, check www.heartbleed.com

Also: Useful list of vulnerable sites.

Post by **aliantha** » Sat Apr 12, 2014 5:10 am

Thanks, Murrin.

Post by **Avatar** » Sat Apr 12, 2014 12:32 pm

Good heads up from Murrin. Pretty sure this can't affect the Watch as I don't think we use any SSL, but I will check with Vain.

--A

Post by **Vain** » Sat Apr 12, 2014 11:48 pm

We're good