I hope this helps people understand this issue: Here is an extract of an email I wrote and sent to my company yesterday - it aims to clarify much of the FUD (Fear, Uncertainty & Doubt) and plain inaccuracies in the press:
As many of you will know, a serious flaw in the commonly used OpenSSL library was revealed on the 7th April – the official designation of the bug is CVE-2014-0160. Please do NOT believe what you read in the tabloid press – much of it is sensationalist or simply incorrect. *Is this serious?* Yes. Very much so. Bruce Schneier, one of the World’s most respected security analysts and who is not prone to using hyperbole, commented: “’Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” (https://www.schneier.com/) *How does this affect me?* Good question! There is a lot of conflicting advice out there. The simple fact is that something like 17% of all the World’s secure sites used vulnerable versions of OpenSSL, including Yahoo! Mail, Stack Overflow, flickr, etc. (see https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt for an example list of tested sites). You can tell is a site is using SSL (a secure link) because the site address will change to having a leading https:// rather than http:// - note the extra “s” in the secure address. It is possible that your password has been stolen if you have used one of these vulnerable sites in the last couple of years. I say possible, because no-one knows if this issue was ever exploited in the wild – it was reported by security researchers (including Google) to OpenSSL on the 7th April and a fix was available the same day. However, someone else may have found it before and been quietly exploiting it… Now, here is the problem. Many sites are saying “Change all your passwords NOW!!!”. Bad plan – this requires thought. Now that the bug is public knowledge (and it’s easy to exploit), if you change to a new password on a site that is still vulnerable, you are doubly in the frame – whatever they may or may not have done in the past, you can bet that hackers are now targeting major vulnerable sites, so if you change your password on a site that is still open to attack, you are possibly more at risk than you were before. Confusing, isn’t it? So, check first that the site has been updated - use http://filippo.io/Heartbleed/– Yahoo has already fixed this, many others have too. But check first before changing to a new password. One simple thing you can do to help matters is to use a different password for each secure site you visit – sounds painful? It is a bit – use a tool like PasswordSafe (great tool – see http://passwordsafe.sourceforge.net/) to remember all your passwords, and life will be a lot easier. *Is this a sad indictment of Open Source software?* Absolutely not – it shows all that is best about it – as soon as an issue is found, its fixed and everyone is made aware of it – same day. 100s of 1000s of sites use OpenSSL for a good reason – its worked on by 100s of very very good developers – no software is bug-free (not even at NASA!) so when something is found, you want it fixed FAST. That just doesn't happen with most commercial security s/w, be it from Microsoft, Apple or whoever – there, information like this tends to be buried… -- You received this message because you are subscribed to the Google Groups "neonixie-l" group. To unsubscribe from this group and stop receiving emails from it, send an email to neonixie-l+unsubscr...@googlegroups.com. To post to this group, send an email to neonixie-l@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/neonixie-l/dd2d55c2-21a0-4db3-9010-46ea5f99ab00%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.