Heartbleed Bug

[Frezzato]

So no doubt you've been reading the news about this problem that was discovered, called the Heartbleed Bug, which went undiscovered for the past two years now.

Heartbleed (Heart Bleed) Bug news on Yahoo [http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/]

It has something to do with a previously undiscovered problem involving OpenSSL. That linked article claims they've already found many Yahoo passwords. Users of various sites (including banking) apparently shouldn't change their passwords until things are fixed on the server side. The problem, in my mind, is that certain sites are claiming that other businesses have already fixed the issue [http://www.businessinsider.com/how-to-create-strong-password-heartbleed-2014-4] on their end, except that I haven't received any official communication from those businesses yet, like Amazon.

What say you, fellow Escapists? Are you taking this issue seriously? What will you do with your current passwords? I personally have over 180 unique passwords so I'm not looking forward to this, but I know what I have to do if I want some peace of mind.

 

[Barbas]

Gosh darn it, not again.

I'm with you - it's an annoying rigmarole to have to go through, but what must be done must be done. 180 passwords? That's...surprising!

 

[dyre]

I'll wait until there's a consensus on Ars Technica that I should be changing my passwords. It won't be as much of an issue for me because I only use unique passwords on sites that I actually care about / are important, which is about twenty unique passwords. I don't really care if anything outside that group of sites gets hacked.

edit: fuck it, changing passwords now

180 passwords? That's...surprising!

He probably uses a password manager like LastPass, but still, yeah, that's a lot

 

[8bitmaster]

Well for one, escapist is vulnerable. I just checked. http://filippo.io/Heartbleed/#escapistmagazine.com I don't like the fact that all these expolits are coming to light now, but I am happy that many companies are fixing it immediately. The worry here is that how long has this exploit been going on in the shadows that its only coming to light now.

 

[chozo_hybrid]

Wouldn't changing passwords be pointless until the site/service fixes the problem or something? I'm clearly not that knowledgeable on these things.

 

[dyre]

Wouldn't changing passwords be pointless until the site/service fixes the problem or something? I'm clearly not that knowledgeable on these things.

The updated version of OpenSSL that fixes the problem is already available; presumably most sites ought to have updated by now. Of course, there are probably some sites that are lagging behind, so you'll have changed a few of your passwords for nothing, but imo it's better than waiting around until you get an official announcement and hoping that no one steals your credit card information in the meantime.

 

[Master_of_Oldskool]

Wouldn't changing passwords be pointless until the site/service fixes the problem or something? I'm clearly not that knowledgeable on these things.

Quite correct, and most news sites that are reporting on this are recommending that you don't change passwords until the site in question explicitly state that they've patched OpenSSL. If you do it beforehand, the new password is still vulnerable.

Aaaand ninja'd. Off topic, who else is ready to go into the woods and subsist on raw trout and tree bark rather than continue to deal with a new cataclysmic privacy breach every few months?

 

[chozo_hybrid]

Snip.

Snip.

Thanks for the responses, I'm new to the whole getting into tech knowledge thing, so I ask a lot of usually stupid questions.