"Heartbleed" SSL vulnerability

[Prob Lem]

Just a quick heads-up in case this news has passed anyone by: There's been a vulnerability discovered in OpenSSL that makes it possible for eviltons and ne'er-do-wells to eavesdrop on connections that should be secure. There's a decent-enough summary of it on the BBC News website, here.

Depending on the services you use, you may want to hold off on changing all passwords immediately, though - if you do so with services which have not yet both patched their OpenSSL installations *and* re-generated their security certificates, it's a pointless exercise, as there may be a potential risk of this information being exposed if attackers hit that service, and you'll just need to do it all over again when they do patch and update their certificates.

There is a tool for checking whether servers are or were affected, and have or have not yet been fixed, and password-management services such as LastPass are providing updates on which passwords users do and don't need to deal with right now, from within their tools.

[mobius]

thanks for your continual effort of pointing these things out 

I heard about this. It might explain my plague of viruses last year... 

[Prob Lem]

Heh, no problem. I think it's important to post a heads-up, even when it's fairly likely everyone else already knows, just in case someone doesn't!

As far as viruses go, I'd say that that's unlikely to be related to this - this one is (generally, unless you're for some reason running an SSL service on your home box) on the server-side, so eviltons are much more likely to be targetting companies holding information that's of (or potentially of) financial value to them.