Heartbleed

How worried should we be about this Heartbleed Bug? I know with internet access to my bank account, they provided all the log in details. With them it wouldn't just be a simple case of changing my password.

 

Very worried, but it requires action on the company's part before you change your password.

 

Even the top security experts aren't sure about the risks. Read this, published just today.

http://www.theverge.com/2014/4/11/5604300/heartbleed-may-not-leak-private-ssl-keys-after-all

 

Maybe, but I have friends in low places who have claimed to have been able to get valuable data from some of these vulnerable servers.

The original firm that found it attacked themselves and was able to obtain sensitive info as well.

 

Also, did you see the article update?


Update April 11, 12:08PM EST: Updated to acknowledge that private keys had been revealed by Apache servers on first request.

 

So does this mean that there is nothing at all you can do about unpatched sites that have already been attacked? And how do you definitively establish whether a site is either not vulnerable or has already been patched? I used an internet test which cleared some of the sites I use but gave an indeterminate result for others. LLoyds Bank for example, one of the UK big four, is silent on the matter, while at the other extreme the Coventry Building Society is emailing reassurance to its members. But most banks are silent on the matter. Very worrying.

 

The Heartbleed Hit List: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Some good and useful info.

 

heartbleed has struck again this time on mumsnet forum site one user has been hacked and posted on the forum site as the user and also Canada's tax agency.


http://www.bbc.co.uk/news/technology-27028101