If you only rarely peek out from underneath your rock and don’t know about Heartbleed you should bother to find out. Additional info e.g. here. A pretty basic tool to check servers is here.
Notable vulnerable services were, for example, Gmail and Yahoo Mail.
List of affected sites with recommendations on which to change your password. Unfortunately, you should also probably change any other sites on which you use the same password.
It’s a good time to do an Expected Utility calculation!
if you think that: p(having your accounts compromised) ( pain if accounts are compromised) > 1 (inconvenience of changing passwords), then change em!
Also, might be a good opportunity for you to start using a password manager like LastPass
Before you change the password, though, make sure that the website patched the vuln and got a new certificate as private keys were one of those things potentially leaked. Changing the password for a site which didn’t patch and get a new cert is worse than useless.
Please help with this calculation. pain and inconvenience are individual, but probability (for the non-famous who aren’t targetted specifically) is probably similar for many of us. Let’s take gmail to be specific:
have you changed your gmail password in response to this flaw
[pollid:664]
what is your current probability estimate that your gmail account was compromised by this flaw in a way that would cause you pain
[pollid:665]
I changed passwords on gmail, but what I’m wondering is why I haven’t seen a single announcement on any of the sites I log in to about the issue, including gmail, and others that third party sites have listed as vulnerable.
I have friends who do security at Google, and they explicitly told me “we don’t think the company was vulnerable and you don’t need to change your GMail password.” So as near as I can tell, the third-party sites and Google, inc, disagree about whether Google is vulnerable here.
I checked my Gmail login locations after I heard about Heartbleed and saw one location that was obviously not anywhere I had been in the last month. So based on that information I assumed that Gmail was compromised and changed my password.
It checks for you, by the way, and will block an attempt and notify you if it looks suspicious. This happened to me earlier this month. Interestingly, that happened 4 days after the vulnerable OpenSSL version was released and my Gmail password is basically the only the one which I do not reuse anywhere and I don’t know how anyone could have gotten it… Still more likely to have been a keylogger or something.
I have friends who do security at Google, and they explicitly told me “we don’t think the company was vulnerable and you don’t need to change your GMail password.”
You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine.
The fact that patches were needed pretty much says that the services mentioned were vulnerable.
Context: I want to give some insight as to why I (and others) voted for “not changing password, not very worried” and as to why the company is not telling everybody to change password immediately.
I agree that the fact that patches were needed does imply that they were running the bad OpenSSL versions. The company is saying, on the record, that people do not need to change passwords. And this matches what I am hearing informally from friends who work there.
Is it good hygiene to change passwords? Yes. Given two-factor authentication and perfect forward secrecy, it might not be super critical though.
The company is saying, on the record, that people do not need to change passwords.
Let me ask an important question: how does Google know? A successful Heartbleed attack leaves no traces unless you’re logging all the packets you received in pretty ridiculous detail.
Bruce Schneier says: “At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” I consider his opinions to be credible.
Update: Bloomberg says: “The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.”
Yes. The NSA isn’t a threat I worry about, since I figure they could get my stuff via a demand to Google, if they wanted it. I am primarily worried about non-government-aided criminals. See Steve Bellovin’s analysis for why this isn’t so suitable an attack for that class of adversary.
“There’s one password you should change nevertheless: your email password.”
Besides, Bellovin is talking about what he calls the most serious case—leakage of crypto keys. If the attackers snarfed your password, they don’t need to sniff, mitm, or redirect your traffic.
I was going to wait until I get a message from Google, since I have 2-step verification enabled. I don’t see how heartbleed could compromise it. Except of course for application-specific passwords.
I changed my password, but not solely due to the flaw—it was more a straw that broke the camel’s back as I was using a password good enough for just email but not good enough for the master key to all my online (and banking) activity.
A public service announcement.
If you only rarely peek out from underneath your rock and don’t know about Heartbleed you should bother to find out. Additional info e.g. here. A pretty basic tool to check servers is here.
Notable vulnerable services were, for example, Gmail and Yahoo Mail.
List of affected sites with recommendations on which to change your password. Unfortunately, you should also probably change any other sites on which you use the same password.
It’s a good time to do an Expected Utility calculation!
if you think that: p(having your accounts compromised) ( pain if accounts are compromised) > 1 (inconvenience of changing passwords), then change em!
Also, might be a good opportunity for you to start using a password manager like LastPass
Before you change the password, though, make sure that the website patched the vuln and got a new certificate as private keys were one of those things potentially leaked. Changing the password for a site which didn’t patch and get a new cert is worse than useless.
Absolutely right. The list I posted shows which have been patched as well.
Thanks for pointing that out.
Please help with this calculation. pain and inconvenience are individual, but probability (for the non-famous who aren’t targetted specifically) is probably similar for many of us. Let’s take gmail to be specific:
have you changed your gmail password in response to this flaw [pollid:664]
what is your current probability estimate that your gmail account was compromised by this flaw in a way that would cause you pain [pollid:665]
I changed passwords on gmail, but what I’m wondering is why I haven’t seen a single announcement on any of the sites I log in to about the issue, including gmail, and others that third party sites have listed as vulnerable.
I have friends who do security at Google, and they explicitly told me “we don’t think the company was vulnerable and you don’t need to change your GMail password.” So as near as I can tell, the third-party sites and Google, inc, disagree about whether Google is vulnerable here.
I checked my Gmail login locations after I heard about Heartbleed and saw one location that was obviously not anywhere I had been in the last month. So based on that information I assumed that Gmail was compromised and changed my password.
How often do you check your login locations?
It checks for you, by the way, and will block an attempt and notify you if it looks suspicious. This happened to me earlier this month. Interestingly, that happened 4 days after the vulnerable OpenSSL version was released and my Gmail password is basically the only the one which I do not reuse anywhere and I don’t know how anyone could have gotten it… Still more likely to have been a keylogger or something.
Google said the same to the press.
Um. Google said: (emphasis mine)
The fact that patches were needed pretty much says that the services mentioned were vulnerable.
Context: I want to give some insight as to why I (and others) voted for “not changing password, not very worried” and as to why the company is not telling everybody to change password immediately.
I agree that the fact that patches were needed does imply that they were running the bad OpenSSL versions. The company is saying, on the record, that people do not need to change passwords. And this matches what I am hearing informally from friends who work there.
Is it good hygiene to change passwords? Yes. Given two-factor authentication and perfect forward secrecy, it might not be super critical though.
Let me ask an important question: how does Google know? A successful Heartbleed attack leaves no traces unless you’re logging all the packets you received in pretty ridiculous detail.
Bruce Schneier says: “At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” I consider his opinions to be credible.
Update: Bloomberg says: “The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.”
Yes. The NSA isn’t a threat I worry about, since I figure they could get my stuff via a demand to Google, if they wanted it. I am primarily worried about non-government-aided criminals. See Steve Bellovin’s analysis for why this isn’t so suitable an attack for that class of adversary.
And look what your own link says:
“There’s one password you should change nevertheless: your email password.”
Besides, Bellovin is talking about what he calls the most serious case—leakage of crypto keys. If the attackers snarfed your password, they don’t need to sniff, mitm, or redirect your traffic.
I was going to wait until I get a message from Google, since I have 2-step verification enabled. I don’t see how heartbleed could compromise it. Except of course for application-specific passwords.
I changed my password, but not solely due to the flaw—it was more a straw that broke the camel’s back as I was using a password good enough for just email but not good enough for the master key to all my online (and banking) activity.