Android vulnerability: what you need to know about the Heartbleed bug

The tsunami continues to roll. Today's news: millions of Android devices (phones, tablets) are vulnerable to Heartbleed.


  1. UPDATED 12:40 pm Pacific 11 April

  2. An experiment in covering an ongoing story in one Storify.
  3. Latest news

  4. Heartbleed bug affects hardware as well as web server software

  5. Update 10 April: In addition to affecting web site security, the Heartbleed bug affects the hardware that undergirds the Internet: routers. Both Cisco and Juniper products are affected.
  6. Heartbleed bug affects the internet's foundational software around the globe

  7. Original lede, 8 April: About two-thirds of the Internet's web servers are running software which may have exposed your passwords or other sensitive (read, encrypted) information. Which sites were/are vulnerable?
  8. Read on for ...

  9. * Backstory (short)

    * Recommendation: change passwords
    * What you should do: Yahoo/Flickr/Tumblr
    * What you should do: other sites
    * Other tools, tactics
    * Which sites are still vulnerable?
    * Web encryption 101
    * Heartbleed 101
    * Relocated paragraphs
    * Update information
  10. Backstory

  11. Called Heartbleed, the bug affects OpenSSL, which is the dominant system used to encrypt passwords and other sensitive information on websites. The bug is two years old; because it leaves no footprints when used, there is no way to know if -- or how often -- it might have been exploited. It can also affect VPN, email, IM clients and stuff technologists probably haven't IDed yet.
  12. There is no central clearinghouse for sites that were or were not affected, that have or have not implemented corrective action. Read on, however, for news about major sites.
  13. Moreover, the disclosure process broke with accepted open source protocol, privileging some sites. This could explain why Yahoo was the latest major site to install initial patches: they apparently did not get an advance warning.
  14. Changing passwords

  15. My advice is to reset passwords anywhere you feel you'd be at risk if the account was compromised. Yes, it's a pain. But isn't it better than having your digital identify hacked?