I finally read up on the Heartbleed vulnerability last night & looked over the list of known high-profile sites that were vulnerable.
Now would be an excellent time to change all your passwords. For sites that are protected with 2-factor authentication, your risk is lower, but it’s still not bad idea. Make use of 2-factor auth everywhere you can.
If you’re changing your password now, you will need to do it again once there’s a notice that the website you’re logging into has applied the patch.
Today’s xkcd is a simple description of how it works. It’s kind of like a reverse buffer overrun, where the attacker tricks it into returning more data than what was requested.
Some of them look to see if the certificate issue dates are post advisory. Unfortunately some reissues don’t change the dates, just the serial numbers. That means some checks will claim the site hasn’t installed a fresh certificate.
There are also for a number of packages settings that make some of the tests fail, while the site is still vulnerable. Then there are the firewall settings or IDS rules that will interfere with unencrypted tests, but not with encrypted tests (which few people do).
Oh, and for goodness sake don’t poke Juniper firewalls on their management interface to find out if they’re patched.
Don’t forget Cisco and Juniper came out and said some of their hardware is vulnerable as well. So not only are the web and server admins going to be busy but so are the network guys.
And lots of embedded devices, clients that use OpenSSL libraries, phones, managed switches… oh, and let’s not overlook your Blu-Ray player, Smart TV, possibly your game console.