Heartbleed: Serious OpenSSL zero day vulnerability revealed

Heartbleed Bug: What Can You Do? — Krebs on Security

 

Perhaps this has been answered. I missed it if it has.
Can someone advise me why it is recommended to change your password on a site that is still affected by Heartbleed?
It seems to me that the new credentials can be harvested in the same manner that the old ones were.

 

You change your password AFTER you find that it has been fixed.

 

Yes, of course, that makes most sense. I asked because I thought I read somewhere to change them everywhere, regardless of status of the site.
I tried looking for where I may have read that advice and gave up, figuring that I probably misread it.
TY for your response, SirDrexl.

 

The Heartbleed Hit List: The Passwords You Need to Change Right Now http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

Good advice . I didn't start to change my passwords yet, but will surely use this trick when I get to it.

hqsec

 

Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

https://www.eff.org/deeplinks/2014/...gence-agencies-using-heartbleed-november-2013

 

iammike Said

Makes sense now !

emmjay Said

Well that's going to be fun, NOT. Which is likely to mean, many will NOT get patched, EVER !

 

By Graham Cluley:

In the wake of Heartbleed, watch out for phishing attacks, disguised as password reset emails | HOTforSecurity

 

I've changed my Facebook password - have you ?

https://www.facebook.com/settings?tab=account&section=password&view

 

'Heartbleed' computer bug threat spreads to firewalls and beyond | Reuters

 

Mozilla Security - Heartbleed Security Advisory

...continue reading.

Concerning Sync ..."Neither the account server nor a potential attacker could have learned the password or the encryption key that protects Sync data."

 

The guy responsible for the Heartbleed bug "confessed"

-www.pcpro.co.uk/news/388162/heartbleed-coder-bug-in-openssl-was-an-honest-mistake-

 

Sure and everyone, who reviewed it missed it as well, why bother validating a variable, it is only SSL, just submit it?! Snowden anyone, ehm.

 

Researchers find thousands of potential targets for Heartbleed OpenSSL bug
at: http://arstechnica.com/security/201...potential-targets-for-heartbleed-openssl-bug/

-- Tom

 

This thread has so many links that it will take days before I have read them all

 

I have not received a single request/instruction to change a password... valid or otherwise.
Has anyone else?

 

Another thing I've been doing is, when I find that a site wasn't affected (like PayPal), I'll change something in the entry (like in the notes section) so KeePass registers it as changed. If you can't find anything you want to change, just delete a character, click OK and then type it in again; that will be enough for KeePass to give it a new modification time.

 

Very smart.

 

AirVPN has a major systems upgrade planned for Sunday:

 

Nice comic explanation of this bug:
http://www.f-secure.com/weblog/archives/00002696.html

hqsec