UPDATED 12:40 pm Pacific 11 April
- An experiment in covering an ongoing story in one Storify.
Heartbleed bug affects hardware as well as web server software
- Update 10 April: In addition to affecting web site security, the Heartbleed bug affects the hardware that undergirds the Internet: routers. Both Cisco and Juniper products are affected.
Heartbleed bug affects the internet's foundational software around the globe
- Original lede, 8 April: About two-thirds of the Internet's web servers are running software which may have exposed your passwords or other sensitive (read, encrypted) information. Which sites were/are vulnerable?
Read on for ...
* Backstory (short)* Recommendation: change passwords* What you should do: Yahoo/Flickr/Tumblr* What you should do: other sites* Other tools, tactics* Which sites are still vulnerable?* Web encryption 101* Heartbleed 101* Relocated paragraphs* Update information
- Called Heartbleed, the bug affects OpenSSL, which is the dominant system used to encrypt passwords and other sensitive information on websites. The bug is two years old; because it leaves no footprints when used, there is no way to know if -- or how often -- it might have been exploited. It can also affect VPN, email, IM clients and stuff technologists probably haven't IDed yet.
- There is no central clearinghouse for sites that were or were not affected, that have or have not implemented corrective action. Read on, however, for news about major sites.
- Moreover, the disclosure process broke with accepted open source protocol, privileging some sites. This could explain why Yahoo was the latest major site to install initial patches: they apparently did not get an advance warning.
- My advice is to reset passwords anywhere you feel you'd be at risk if the account was compromised. Yes, it's a pain. But isn't it better than having your digital identify hacked?