Latest Software Bug.

[Keith Simmons]

Hi everyone.

I expect you are aware of the latest software bug around (Heartbleed Bug) and apparently it has been running for a few years !!!!

The latest advice is to change ALL your passwords and I have just done mine for this site.

Kind regards

Keith

 

Edited By Keith Simmons on 09/04/2014 14:17:44

[graham dewis]

Which software bug is that pse ?

[WolstonFlyer]

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

Have a look at heartbleed.com

[John Privett]

Posted by graham dewis on 09/04/2014 18:39:34:

Which software bug is that pse ?

As already stated in Keith's post, it's the Heartbleed Bug. (Link is to the BBC News site, not anything malicious!)

[graham dewis]

Thanks for the information guys.

[WolstonFlyer]

This forum will be OK because it runs on Windows servers using IIS and doesn't use SSL anyway.

[Pete B]

Most of what I've browsed about this has gone way over my head, TBH

I did get the impression though, that if any of your normally-frequented commercial sites use OpenSSL, they will probably contact you to suggest changing your password.

Until then, I can't see any reason why I need change all passwords - unless someone can convince me otherwise...

Pete

[Peter Jenkins]

Peter, from what I've read, only some ISPs are affected and changing your password before the bug is fixed, if you are one of the affected ones, doesn't help you. So, like you, I'm going to wait for my ISP to tell me whether I've been effected and if I then need to change my passwords.

[Gary Manuel]

Isn't it good practice to change passwords regularly regardless - especially to sites holding sensitive information?

(not that I do)

If you suspected that someone had looked over your shoulder and knew your password, you would change it. This is similar, but it's no good changing it if they are still looking over your shoulder, which is what it's like if the bug has not been removed yet.

[john melia 1]

Posted by Pete B - Moderator on 09/04/2014 21:55:43:

Most of what I've browsed about this has gone way over my head, TBH

I did get the impression though, that if any of your normally-frequented commercial sites use OpenSSL, they will probably contact you to suggest changing your password.

Until then, I can't see any reason why I need change all passwords - unless someone can convince me otherwise...

Pete

So how do you find out which sites use open ssl

[Keith Simmons]

Thanks guys.

I am prompted to change my passwords every 2 months at work. At home I am far more lazy.

I just don't know how much damage there has been done due to the Heartbleed bug and if there is an attack, it's hidden and off the radar.

Like John, I also have no idea about open SSL but hopefully the security sites will check through their systems as it is now in the open.

I don't use my bank on-line and I only use my payments on-line through my home network, not via an external open router.

If I am already affected, I agree changing the passwords now, is like shutting the stable door after the horse has bolted.

Keith

[Pete B]

Posted by john melia 1 on 10/04/2014 13:14:29:

So how do you find out which sites use open ssl

Dunno John - I'm hoping they'll tell me!

Pete

[Martyn K]

It's not worth changing passwords until the flaw has actually been fixed. If you change your password now then the a flawed system can still expose your new password. You need to wait until the flaws have been fixed.

Martyn

[John Privett]

Posted by john melia 1 on 10/04/2014 13:14:29:

So how do you find out which sites use open ssl

Advice from Solwise, the router/network gear people from whom I've bought various bits and pieces in the past, received by email today;

Advice for web users:

There are ways you can test if websites you visit are vulnerable to the 'Heartbleed Bug' before you enter any personal details on them.
If you are a Chrome user you can download a Chrome Extension, Chromebleed, which warns you when a site you're visiting has been affected.
**LINK**

There is also a test site you can check by domain names
**LINK**

[John Privett]

It goes on to say (as Martin already mentioned);

Changing Passwords

As a precautionary measure, people are being advised to change the passwords for all of their online accounts -- especially the most sensitive accounts (Internet Banking, Email, Social Networks etc...).
If you decide to undertake these [painfully laborious] measures, may we advise that you do not change your password with a website until you are certain that they have already patched the 'Heartbleed Bug'. This will ensure the safety of your new set of passwords.

[Peter Miller]

According to the BBC news, there is no point in chnaging passwords until the company tells you to. This is because, until they fix the problem any new password will still vunerable.

Once the problem has been fixed you should get an email telling too change the password.