Heartbleed Bug

Breaking News: Heartbleed Affects Your Secure Personal Information

A major bug affects the SSL security protocol and makes sites which haven't updated vulnerable to data mining hacks. In general, just wait. Most of us aren't affected, but if you are: change the passwords to websites that are unaffected so that the compromised information can't be used to get into your secure stuff.

I saw this this morning; a little worrying and I will now be changing all my passwords.

I read this as well. Start with any Google passwords as they have already corrected the problem. The next step should be to change your other passwords now and then change them again a week from now once the fix has propagated to the rest of the secure sites you use.

Or just be a caveman and do all your secure transactions face to face for a while.

Can someone explain this whole thing to me? Ive just had my social media manager freaking out because we're being told on the one hand to change all passwords immediately, and on the other not to until we know that particular platform has been patched...?

I'm not particularity tech savy, I am am a little concerned as my business operates across several of the problematic platforms....


Thoughts?

At the risk of showing how little I know...

The concept of secure internet connections (secure sockets layer - SSL) allowed ecommerce and banking to take off back in the 90's - its the little 's' sometimes seen after http in the address bar; https

So now apparently some software which is/was very popular for websites to use for this service, called OpenSSL, managed to get a vulnerability into it which allowed anyone who knew of it, to intercept passwords etc.

The whole point of SSL is that it is encrypted and secure, so if that is compromised then its a problem! I guess the breadth of the problem depends on the scope of OpenSSL's use throughout the internet.

"It also allowed for a server's private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website's server and a user of that website."

An article here; http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html

totjo website doesn't use ssl. We have no sensitive information here, and our openssl package is unaffected. I'm not sure many people will be interested in hacking your gmail account in order to initiate a totjo password reset.