Sign in. It’s quick, free and it’s up to you.
An account is an optional way to support the work we do. Find out more.
A NEW SECURITY bug has sparked online panic, with experts saying that users of a large number of sites should change their passwords – but not right away.
Heartbleed is a security flaw in OpenSSL technology, an implementation of a protocol that is used to protect data across the web.
Around two-thirds of the web uses OpenSSL and the Heartbleed bug has been present for around two years.
The bug can, in theory, allow anyone access the information of people who used affected sites and there is not much that can be done by users just yet. It is up to individual websites to upgrade to a version of OpenSSL that is unaffected.
It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.
Google sites such as GMail and YouTube are clear, the company says, but a large amount of other websites are still affected.
Yahoo, which has more than 800 million users around the world, said Tuesday that most of its popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn’t identify.
A GitHub list compiled by a user outlines around 10,000 sites and whether they are or are not affected.
It is recommended that users of sites that have passwords search the list for their bank, email and important account providers. Ultimately, you’ll need to change your passwords, but that won’t do any good until the sites you use adopt the fix. It’s also up to the internet services affected by the bug to let users know of the potential risks and encourage them to change their passwords.
To embed this post, copy the code below on your site
Redtube! Oh no!
Oh no, now they can look at pictures of my wife’s birthday, for shame internet, for shame.
You do know most people use their computers for more than pics of their wives posing with bingo wings
They don’t it’s the number one usage.
I think thats other peoples wives
Id say your wifes pics are ok. There aint no one that deviant
Bit innocent?
XD So True up with bingo wings down with the rest XD
Got to love how the IT security industry causes fear to spend money. Over hyped this alert.
Anyone like to explain the red thumbs? Sorry if I upset IT security folk with the truth .
Conspiracy theorists are hilarious. Given that the fix for this bug can be applied without immediate cost (excluding the cost of man hours), I don’t see how it could be claimed that the IT Security industry are trying to drum up money. But hey, maybe they should keep their mouth shut and leave the vulnerabilities undeclared, that’d be a lot better
I didnt red thumb it but if a site doesn’t update their protocols then they are effected by loss in traffic and revenue. It doesnt cost us anything.
Ok the bug can be fixed with no cost agreed however most companies will do an immediate security review of their perimeter and intrusion detection systems. Along comes IT security vendor and goes you need this and this and this .
I disagree most sites will lose no traffic as most users will not have a clue of the site is vulnerable or not.
Of course most decent companies will do a security review. That would be the most sensible thing to do. I don’t see how this relates to the IT Security sector drumming up money though. And most large companies would (or should) have in-house security staff on their payroll anyway
The review is nearly always done in conjunction with a security company.
The update is virtually free and there is no way of finding out what data was leaked because of the nature of the bug.
Sure the NSA was using it very happily I bet.
There is an associated cost in fact and a benefit to security companies. Any site that was affected could have had encryption keys for SSL leaked (the bit that gives secure traffic over https) which means that, even after fixing, future traffic is still vulnerable. Hence companies will need to purchase and install new security certificates regardless of whether they know if they have been compromised as this vulnerability leaves no logs or trace.
Apologies for the nerd overload this early in the morning.
Declan, you are seriously underestimating the consequences of this bug. Security companies are as affected by this as are other companies, and security companies don’t stand to make profit from this. In fact, it will cost security companies money to fix vulnerabilities that may exist in the their own security solutions.
Brian… “It doesnt cost us anything.” It does if it’s your data being stolen from the provider.
David, any reputable CA will revoke certs and sign new ones for free. Otherwise the trust model would be broken. The only vendor I know of that is refusing to do this is StartSSL, who wouldn’t be the most reputable anyway.
Yes, in some case the security may involve assistance from security consultants but as has been said below, there is virtually no cause to be charged for new certificates, since it is a flaw in the certificate infrastructure. My (prolonged) point here is that this isn’t a conspiracy by the security sector. They took the time, and probably money to identify this bug. They should be praised for finding it, not accused of looking for extra money. The researchers involved are ridiculously intelligent people, I could only hope to have a fraction of their technical ability someday.
@ Declan – you should quit while you only look like a partial idiot, and not a full blown moron.
Barry I understand the potential consequences but the overall risk is not high. Even the sans dont have it as red in their threat level.
When you have worked as long as me in some of the worlds biggest companies in IT security then you can call me an idiot.
Some day you may work for me :-) in security.
Wow – you work in IT. How exciting. zzzzzzzzz
Overall risk is not high? Are you on drugs? Any application using the vulnerable version of OpenSSL (which is a lot of applications) can have their memory scraped. I seriously doubt you work in IT Security if you don’t understand the significant risk in that.
And of course SANS don’t list it as red. Have you ever actually looked at what the ISC classifications actually mean? https://isc.sans.edu/infocon.html
Careful, Barry – you may end up working for ‘Declan the IT security bigshot’ some day!
“worked as long as me in some of the worlds biggest companies in IT security”
“Some day you may work for me :-) in security.”
Declan, what job did you actually have in the “security” companies? Because I don’t believe you for a second. The level of incompetence you have shown in this thread is astounding for someone who claims to work in IT security.
Where in the Square? ;)
I’d tend to agree with you Declan, most users would not be aware so why should they be cautious. How many people have stopped using ATM machines because their card can be cloned and pin discovered and this is a very well publicised and much understood issue for years.
I was thinking the very same Declan
Re: sites loosing traffic. In the most part they won’t.
Great feature from the Journal where by if you type your password in the comment box is shows up encrypted.
*************
Works very well.
**********
Congratulations you are the 999,999th person to comment on the Journal! Give me all your bank and credit card details to claim your prize!
Oh really?
someonethinksweareallfools999!!
@Emilio
That password is obviously fake.
The are no uppercase characters and 2 exclamation marks together!!
Do you think we are all fools?
But I got me numbers in it!
Love how the journal uses a pic naming a porno site and a torrent site. Who employs these people?
In fairness these sites are used by millions, but yeah creating accounts on them, who knows why?
Considering the cost of SSL certs, and that Heartbleed vulnerability has been present for 2 years, what’s the position where cert providers have been selling something useless?
The CA’s are not responsible for the choice of library that people use in their SSL/TLS deployment. The effectiveness of the CA system is another discussion unrelated to this issue. After all, this bug affects CA-signed and self-signed certs equally if you are using OpenSSL.
And it’s not completely useless if your server will only use ciphers supporting Perfect Forward Secrecy as even if the private key is compromised, captured sessions cannot be decrypted.
Thanks Barry,
Good tip for PFS…
There will be a problem with routers as well as most routers have OpenSSL. So get on to your ISP to update software or if there is a software patch needed for them.
I first learned about Heartbleed from reading thejournal.ie – now I find out that routers are vulnerable.
Thanks 1 Human Being…
This all seems a lot like The Millennium bug affair.I think vested interests are at work
No it does not. You are clueless.
The reason the Millennium Bug didn’t cause the chaos predicted was because of the insane amount of time, money, and resources, spent fixing it in advance. If the fuss wasn’t made it wouldn’t have been fixed and then chaos would have ensued.
And there is absolutely no similarity between this and the Millennium Bug. At all.
The Millennium Bug was a myth that was converted into a money-making scam by certain people in the IT industry.
Absolutely, Barry. The media whipped up a huge fear campaign and when the problem didn’t arise the people who fixed it got all the opprobrium. Should have been the messenger that got shot in that instance!
The millenium bug was real. Systems that had the bug would have presented a whole rosary of issues from minor malfunctions to total breakdowns. They had to be replaced or patched and they were.
You don’t have a clue about IT, do you? Thousands of developers in thousands of companies spent huge amounts of time and effort making sure the Millennium Bug was patched, before it became an issue.
The only reason there were no major systems crashes was because they were so good at their jobs.
By messenger I mean the media.
A supplier got hacked this morning, whixh then sent a “invoice” to me, my IT are working to save my pc right now, no joke. :(
This makes no sense
Site: http://www.thejournal.ie
Server software: nginx/1.0.5
Was vulnerable: Likely (known use OpenSSL)
SSL Certificate: Possibly Unsafe (created 1 year ago at Mar 2 14:35:29 2013 GMT)
Assessment: Wait for the site to update before changing your password
have your say