1 Rating:

Will changing your password protect you from Heartbleed?

Will changing your password protect you from Heartbleed?

April 15, 2014 - The problem was found in the widely-used OpenSSL software

Sites including Amazon.com, Twitter and PayPal were never affected

Tech companies are facing increased pressure to do more to reassure their users about the Heartbleed bug.

Affected sites, including Google and Facebook, have fixed the problem, but its users are complaining they're still being left in the dark as to what it means for their personal data.


Meanwhile, there are still thousands of websites who are yet to fix the problem, or officially announce the fix - leaving their users in limbo.

Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox.

All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren't issuing the advice.

Yahoo is the only major site that has explicitly said its users should change their password.

A number of these sites have been criticised for not contacting individual users to reassure them.

Graham Cluely from security software company Sophos told MailOnline that while it is difficult for websites to contact individual members directly - and they are not duty bound to do so - given the scale of the flaw, they could be doing more.

For example, Cluely suggests Google could post a link on its homepage for anyone who is concerned about the bug.

'This could link to helpful details and Google's official statement about its services. It would also be helpful for the whole internet community because the site is so-widely used,' he said.

In response to this, Google told MailOnline: 'The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords.'

It did not comment on whether it would be issuing a statement directly to users, however.

Dropbox tweeted saying it has patched all of its user-facing services and will continue to work to 'make sure your stuff is always safe', but would not comment further.

MailOnline has similarly approached the other affected sites for comment. How Sites Are Affected: The Three Scenarios:

Websites fall into one of three groups - affected and at risk, affected and fixed and not affected.

Affected and at risk: This applies to sites that use the OpenSSL software but have not patched the flaw. Password and security experts have created tools to see which sites are at risk including the Heartbleed Test and Heartbleed Checker.

Affected and fixed: Affected sites include a number of Google services, including Gmail and YouTube, Facebook, Tumblr, Yahoo and Dropbox.

All of these sites have been patched and security experts are advising people to change their passwords on these accounts, even if the sites themselves aren't issuing the advice directly, as is the case with Google.

Users should ask sites directly for more information if they feel they're not being well informed.

Not affected: Sites that don't use the OpenSSL software are not affected by the flaw. This includes PayPal, Microsoft accounts and Twitter. There is also confusion between what the companies are suggesting in terms of changing passwords, and what the security experts are advising.

People have been urged to change their details in response to the internet-wide bug, but it has emerged that changing login details may not boost security at all.

Some experts are advising users to change all their passwords across every site they have an account for, while others are being a little more selective.

But it has been revealed that the efficacy of changing your password depends on the sites you have accounts for - and in some instances changing your login details may be do more harm than good.

Cluely continued: 'It is confusing and I understand why people are befuddled, but a [password] reset for everything is both unnecessary, and potentially exposing.

'Changing your password on a vulnerable site makes little difference because the site is still open to attack.



( via dailymail.co.uk )


Recommended




‚Äč  
Visit Disclose.tv on Facebook