Important Security Advice [UPDATED 2]

[TSR2]

As you may have heard in the media, a serious security flaw has been discovered in something called OpenSSL. SSL is a typically the little padlock icon you may see when browsing some websites, indicating that the information sent between your browser and the server at the other end is secure. Open SSL is an "Open Source" implementation of SSL and is widely used on all sorts of devices from smart TV's, and NAS boxes to advanced networking equipment and many servers on the internet. The security flaw means that information that is exchanged using Open SSL may not be secure and can be easily intercepted.

There have been many reports in the media today urging people to change their passwords for things like email, banking or for websites that retain you credit card information.

While changing your password is not a bad idea, it will lure people into the false sense of security, in that they will believe they are now secure. This is NOT the case. There is little point in changing your password, UNLESS THE SYSTEM YOU ARE CHANGING IT ON HAS BEEN FIXED. As the vulnerability has only recently been made public, there is no way all of the sites that are exposed to the vulnerability will have been updated to fix the issue. I would suggest that you minimise the number of websites or internet services that contain your personal information or card details, and then check these websites to see if the have the vulnerability using the tool below (or similar). If they have the vulnerability, contact the people responsible and ask them when they expect to have it fixed. After it has been fixed, then change your password. Alternatively, you could delete your information from such sites.

At the bottom of this article is a list of some services and whether or not they are vulnerable at present.

http://www.bbc.co.uk/news/technology-26971363

[EDIT] Sorry guys, just re read what I had said, and just to be clear, if the website you are using is not showing as being vulnerable, you SHOULD change your password as this has either never had the vulnerability, or HAS had it fixed. As there is no way to tell which of the former is the case, better play safe and change your password.

https://www.ssllabs.com/ssltest/

Please note: This is only an issue where the site uses SSL.

[gordon-in-aberdeen]

Cheers for that Ben,

Just one thing, did you mean to leave a link to something to help test it on sites you mentioned?

and then check these websites to see if the have the vulnerability using the tool below (or similar)

Just wondered, no link visible here if there was supposed to be one

again ben, I'll go back under my rock now

[TSR2]

Hi Gordon,

completely for got to post the link. I'll amend the first post in a minute. Meanwhile, here is the bbc article...
http://m.bbc.co.uk/news/technology-26954540

[airboatr]

Thanks Ben,

[Airspeed]

Thanks Ben,
Ran this on my bank, passed OK., but it could not rate my SP/mail.

EDIT 10:46 pm local time... this was on the 7pm news tonight, saying just what Ben did - no use changing your password. The providers have to fix it.
But Ben was first

[TSR2]

A quick heads up guys, it seems that GMAIL and Facebook are exposed to this vulnerability. If you use the same password for Gmail and /or Facebook as you do for other sensitive services, you should change your password for the other services now and assume that your Gmail and or Facebook login is compromised.

[Vancouver]

I have so many different passwords and PIN numbers these days I have to maintain a little book with them all in it just to stop my brain seizing up. Should I stay awake at night just in case some intruder steals my book? Twas so much easier before computers. I was under the impression they were supposed to make life simpler, that is what Raymond Baxter told us on "Tomorrows World" at any rate.

[TSR2]

Definitely Alex. As a rule of thumb try not to put anything on t'internet that you wouldn't want the world to see. Your little black book is the best place to have it, and its not traceable

[J0hn]

I keep one, too. I also never use the same password twice. Ever.

Recently I started using a system whereby I will always know or can work out what my password is for any given site, but it's always considered 'very secure' in it's content.

There's a quick list on The Beeb now, showing some major sites and what the score is:

http://www.bbc.co.uk/news/technology-26971363

Look down the page to the table.

Problem is, Google has been patched, but try finding how to change your password! It's like a maze in there, and like me, most people never wanted to have a Google profile in the first place, but had one forced upon them with their YouTube account last year. At least we in the UK don't have to use our real names, like some do.

I've got nought worth stealing anyway!

[TobyV]

Thanks for the good advice. I noticed this thread seemed to be some way down the page though. Any chance a mod could pin it at the top? Seems very relevant at the moment (and probably for the next days and weeks before all servers around the world have been patched).