The company is saying, on the record, that people do not need to change passwords.
Let me ask an important question: how does Google know? A successful Heartbleed attack leaves no traces unless you’re logging all the packets you received in pretty ridiculous detail.
Bruce Schneier says: “At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” I consider his opinions to be credible.
Update: Bloomberg says: “The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.”
Yes. The NSA isn’t a threat I worry about, since I figure they could get my stuff via a demand to Google, if they wanted it. I am primarily worried about non-government-aided criminals. See Steve Bellovin’s analysis for why this isn’t so suitable an attack for that class of adversary.
“There’s one password you should change nevertheless: your email password.”
Besides, Bellovin is talking about what he calls the most serious case—leakage of crypto keys. If the attackers snarfed your password, they don’t need to sniff, mitm, or redirect your traffic.
Let me ask an important question: how does Google know? A successful Heartbleed attack leaves no traces unless you’re logging all the packets you received in pretty ridiculous detail.
Bruce Schneier says: “At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” I consider his opinions to be credible.
Update: Bloomberg says: “The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.”
Yes. The NSA isn’t a threat I worry about, since I figure they could get my stuff via a demand to Google, if they wanted it. I am primarily worried about non-government-aided criminals. See Steve Bellovin’s analysis for why this isn’t so suitable an attack for that class of adversary.
And look what your own link says:
“There’s one password you should change nevertheless: your email password.”
Besides, Bellovin is talking about what he calls the most serious case—leakage of crypto keys. If the attackers snarfed your password, they don’t need to sniff, mitm, or redirect your traffic.