So there has been much confusion and so many threads regarding this Heartbleed exploit. I want to clear the air once and for all. I'll explain exactly what this is in plain english, and I'll explain why it's not as worrying as people are painting it out to be. First, some background: What is OpenSSL? OpenSSL is a free piece of software that many websites and programs use to provide encryption of data. It's most commonly seen when you type "https" instead of "http" infront of your web browser, but it's use is not limited to that. What is Heartbleed? Heartbleed is a mistake in the program which allows an attacker to read a small amount of the memory of the server (usually) or client that they are connecting to. It's that simple. It does not guarentee that "all of the passwords will be stolen" or "they'll be able to access everything on the website". Who is vulnerable to Heartbleed? Any program or website that uses version 1.0.1 and some versions of 1.0.2 of OpenSSL. No other versions are vulnerable. Windows is not vulnerable, and neither is anyone who is using older versions of OpenSSL. In total, netcraft estimates that only 17.5%, or less than 1 in 5 servers are actually vulnerable. What can Heartbleed actually do? Heartbleed can only access a random portion of 64kb of the server's memory. There is no way to aim Heartbleed at a section of memory, meaning the hackers are equally likely to get my recipe for mushroom soup as they are likely to get anything of value. Everytime a hacker attacks a website that is vulnerable, they only have a "chance" of obtaining something valuable. While passwords may be contained in the 64k of memory that heartbleed is able to read, most websites store passwords in a format that is not easily readable (known as a hash), and it is simply not feasible to obtain any password information from Heartbleed. The worst case scenario is that they could obtain the website's SSL certificates, meaning that they can pretend to be the website to another user. Basically, you think you're going to Amazon.com: Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more but you're actually not going there. What can I do to protect myself from Heartbleed? Not much, unfortunately. The main responsibility is on the website to get themselves updated. You won't be able to tell if they do. Changing your password will NOT help if the website hasn't updated itself. You can head over to Qualys SSL Labs - Projects / SSL Server Test and enter the domain name, and it'll tell you whether the website is currently still vulnerable or not. End of story. No need to pull your hair out, or scramble to change passwords on all your websites. Just follow good, standard password practices and you'll be fine. Hope this helps to ease the fears/concerns of some people -blaq
That's the irony. On the week where Microsoft stopped support for Windows XP everyone was predicting the total collapse of windows, but it was just about everything but windows that was vulnerable
Lol XD Wait, just Windows XP or all version (I use Windoge 8 (really Windows 8)), and what makes them 100% safe?
All windows are safe. Infact, anything that doesn't use OpenSSL is safe. Even those that use OpenSSL aren't necessarily vulnerable if they aren't using a particular version. Thats why less than 1 in 5 servers are affected worldwide.
I didn't really care, I just YOLO it up, and hope for the best. xD, but seriously, this was never going to be of any harm anyway.
I ignore things like this, honestly. ;p Unless I read up on it and find out that it is VERY dangerous, I sit back and YOLO it.
