Heartbleed Bug: Which Websites Recommend Changing Passwords?

Most banks and financial institutions don't use OpenSSL, so not affected by Heartbleed. However, online retailers who do use OpenSSL, say for instance for their shopping cart, could be vulnerable to exposing customer credit card and other personal info in memory.

The other issue is that many, unfortunately, use the same password for all web accounts for convenience. A hacker could conceivably extract an affected email provider's login/password to check an account for banking related communications. Then attempt to gain access to those financial sites using the same password. Which is a reason to have unique passwords for each website.

A forum account breach may not be harmful, more of an inconvenience if not an embarrassment to the account holder, as a hacker could use the opportunity to post spam. Access to a moderator account could initially be more damaging, but should be restoreable once discovered.

The Open Roads Forums apparently use Microsoft IIs servers which utilize its own encryption component Secure Channel, so not impacted by Heartbleed.

bwanshoom, thanks for the explanation. I have ask these questions on other forums, and they have been ignored. I guess most people really do not know the answers.

Thanks again.

Wayne

Reddog1 wrote:
If someone has my password to a Forum I visit, so what? If I have no personal info other than an email address on that site, what security should concerned about?

If it is the email address, then perhaps I should have an email address unique to those sites I do business with.

What am I missing?

Wayne

For end users Heartbleed's biggest impact would be on sites where you have financial or other personally identifiable information (like SSN, etc.) Because an affected server can be made to give up information it's possible someone could "harvest" a lot of account information. The sites you should be concerned with are those that have your credit card information stored or access to your financial accounts (banks, brokerages, etc.)

Also, you should change your password for any email sites that could be used for account verification of other sites. For example, many sites require that you click a specific link in an email they send you to reset your password so those email accounts should be updated.

For forums it doesn't matter unless that forum also has shopping that might have your credit card information stored.

I know most banks said "We're not impacted", but there's no harm in changing your password anyway.

Reddog1 wrote:
If someone has my password to a Forum I visit, so what? If I have no personal info other than an email address on that site, what security should concerned about?

If it is the email address, then perhaps I should have an email address unique to those sites I do business with?

What am I missing?

Wayne

The Heartbleed information is very informative, but I am trying to put it in perspective. Can anyone answer the questions in my previous post?

Wayne

magicbus wrote:
I develop financial software and we transfer many billions of $$$ per day through our various products. This was an interesting exercise for our teams as we all had to confirm our susceptibility to this bug. Of our 9 products none were affected. Our older products use a pre-bug version and there was never any reason to upgrade. Our newer products use post-bug releases. I suspect many banking products are like I ours... older than 2 years and never updated.

Dave

If you didn't update openssl in more than 2 years you were missing many vulnerability fixes. Security software updates are generally pretty important.

I develop financial software and we transfer many billions of $$$ per day through our various products. This was an interesting exercise for our teams as we all had to confirm our susceptibility to this bug. Of our 9 products none were affected. Our older products use a pre-bug version and there was never any reason to upgrade. Our newer products use post-bug releases. I suspect many banking products are like I ours... older than 2 years and never updated.

Dave

If someone has my password to a Forum I visit, so what? If I have no personal info other than an email address on that site, what security should concerned about?

If it is the email address, then perhaps I should have an email address unique to those sites I do business with.

What am I missing?

Wayne

1492 wrote:
Most of the major sites affected have patched their servers. Even before the vulnerability was released to the media. .

Bug was active for 2 years.
Bug was part of the security world for 1 year.
Media (Google) announced it was safe and their partners were also but Yahoo was not. They took advantage of a very quick media jab at a competitor.

My concern is that when you use that tool to validate whether a site is secure or not, they then have a list of servers that are NOT. Who are they selling that list to?

Nothing better than allowing the general public find, report and create a list of targets for 'less than noble causes'.

my .2

I will wait and check servers to ensure they are patched before I populate their servers memory with my new passwords.

Most of the major sites affected have patched their servers. Even before the vulnerability was released to the media. The Mashable.com list updates their status. You should change passwords for those now.

For other websites, the server status link above was designed to check if an affected site has been patched. Which is the reason it was provided. Note that a "broken pipe" alert can be caused by a Microsoft IIS web server, which uses its own SSL implementation and not affected by Heartbleed.

darsben wrote:
It is no good to change your password UNTIL the site patches the vulnerability. MY internet accounts that used OPEN SSL have all sent me emails when done. As someone else stated it does NO GOOD to change before the patch.

FWIW Yahoo has patched.

Remember not all sites used OPEN SSL call our financial institution and ask them if they did and if they patched. If they cannot answer the question at this date I would question how securely your account information at that institution is being handled.

My IT guy says the same thing. It's actually more dangerous to change before they update. Just try not to log into sites not fixed yet.