The Heartbleed Bug affected at least 500,000 websites, according to Netcraft. Changing your password to affected sites is recommended. Below is a partial list of websites affected, along with other tips to avoid being exposed to this security flaw.
-
Dropbox
-
Etsy
-
Facebook
-
Google
-
Indiegogo
-
Kaspersky
-
Motley Fool
-
OkCupid
-
Soundcloud
-
Steam
-
UCLA
-
US Senate
-
Yahoo
Cloudflare created a website for security professionals to test exploits of the bug and found it is possible to also extract a website’s private key.
The private key is what proves a server’s authenticity, if someone else gains access to it they can impersonate the server and intercept otherwise secure communications.
Because of this, not only are companies urged to upgrade OpenSSL but also get a new private key and revoke the old one.
As a user, make sure that your browser is checking if a key has been revoked.
In Chrome: Go to Settings and search for SSL, make sure the box “Check for server revocation” is checked.
In Firefox: Go to Tools -> Options (Firefox -> Preferences on a Mac) -> Advanced -> Encryption (or Certificates) -> click the Validation button and check the box “When an OCSP server connection fails, treat the certificate as invalid”
Servers are not the only devices affected by heartbleed, phones running Android, home routers, TV sets, thermostats are all examples of devices vulnerable but not likely to be updated.
