How to use the Internet while Heartbleed is being fixed.
Heartbleed bug: Checking websites and changing passwords. Posted on 11 April 2014. In the wake of the discovery of the Heartbleed bug in OpenSSL, some security experts even went as far as advising users to avoid the Internet for a few days until the problem is sorted. I doubt many have listened to that advice, so here is what you can do instead: check whether the websites you visit regularly are vulnerable. You can check out the current status of of the most popular websites on several lists. If the website you want to check is not on one of them, you can do it by entering the website's URL in one of the following tools: LastPass Heartbleed checker, Qualys' SSL Labs Server Test, or Filippo Valsorda's Heartbleed test.
Firefox and Chrome users can simplify the process by downloading and installing an add-on that detect websites that are vulnerable: Heartbleed-Ext (Firefox), or Chromebleed. If they haven't, you might want to consider asking them to do it as soon as possible. Heartbleed OpenSSL vulnerability: A technical remediation. Posted on 09 April 2014. OpenSSL released an bug advisory about a 64kb memory leak patch in their library. The bug has been assigned CVE-2014-0160 TLS heartbeat read overrun. According to OpenSSL, the heartbeat extension was introduced in March 2012 with the release of version 1.0.1 of OpenSSL. This implies that the vulnerability has been around for just over 2 years. This is a very serious vulnerability that will allow protected information to be stolen even with the use of SSL/TLS encryption. Since the announcement, there has been buzz around the underground and malicious actors have been actively leaking software library data and using one of the several provided PoC code to attack the massive amount of services available on the internet.
Only versions 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Heartbleed.com mentions a web based tool and a couple of scripts for testing to see if you are vulnerable to this latest exploit: alert tcp ! Heartbleed : comment choisir un bon mot de passe ? Changer son mot de passe, d'accord. Mais quelles sont les règles à respecter pour qu'il soit robuste et facile à mémoriser ? Le Monde.fr | • Mis à jour le | Par Martin Untersinger De plus en plus de sites et de services ont corrigé la faille Heartbleed, qui rendait vulnérables de nombreuses informations personnelles, notamment les mots de passe des utilisateurs. Il est désormais conseillé, pour les sites et services ayant renforcé leur sécurité (et seulement eux), de changer son mot de passe. Lire notre décryptage : Les sites pour lesquels il est conseillé de changer son mot de passe La longueur : choisir une phrase de passe Il est souvent recommandé d'adopter un mot de passe d'au moins huit caractères, agrémenté de nombreux caractères spéciaux.
Mais si on se place du côté de celui (humain ou machine) qui doit deviner un mot de passe, le nombre de possibilités à tester pour un mot de passe donné augmente plus vite si on l'allonge que si on l'agrémente de caractères spéciaux. Oui. Heartbleed Bug: Public urged to reset all passwords. 9 April 2014Last updated at 10:34 ET By Leo Kelion Technology desk editor Users are warned that the flaw may have exposed passwords and sensitive data Several tech firms are urging people to change all their passwords after the discovery of a major security flaw. The Yahoo blogging platform Tumblr has advised the public to "change your passwords everywhere - especially your high-security services like email, file storage and banking".
Security advisers have given similar warnings about the Heartbleed Bug. It follows news that a product used to safeguard data could be compromised to allow eavesdropping. OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers so that only the service provider and the intended recipients can make sense of it.
If an organisation employs OpenSSL, users see a padlock icon in their web browser - although this can also be triggered by rival products. Copied keys Continue reading the main story.