Thank you for this, very informative.
As more information about the impact of this vulnerability becomes available it is clear that we have to draw a distinction between whether servers (and the secure websites running on them) are safe now, and whether they were ever at risk over the past couple of years of being exploited to divulge confidential information.
Most of the big-name sites moved fast to patch OpenSSL with the latest version or to recompile the existing version with an option that prevents data theft. That everyone moved so fast is a recognition of the potentially disastrous consequences of leaving their servers open to intruders, and also to the exemplary way in which the news of this discovery was spread, as also to the concise explanation in the heartbleed.com release of the severity and urgency of the problem.
But because a server has been patched and the weakness removed, that does not mean that it has not been silently attacked in the months before we all became aware of the problem. Attacks against servers to exploit this weakness leave no trace, nothing in the logs to indicate that anything has happened. So if a secure website is on a previously-vulnerable server the only safe course of action is to assume that it has been attacked, and your passwords (among other things) have been stolen.
It's also not enough simply to remove the vulnerability from the server : security certificates used by websites on those servers should be revoked and new ones issued. This will take a little time to implement, but is essential since those too may have been compromised.
So the list of previously-vulnerable websites is a guide to those sites where passwords should be changed as soon as possible. The really alarming news is that on that list you will see not only Yahoo (including Flickr and Tumblr) but also Facebook, GitHub, GoDaddy, AWS (Amazon Web Services) and - surprisingly - GMail. That's a surprise because Google have said that their use of Perfect Forward Secrecy should have protected the contents of emails being snooped - but not, perhaps, kept email account passwords from being read.
McAfee's advice to us, the users, includes these important points :
- Customers should be aware that server certificates that are or were protecting data could have been leaked. Attackers with compromised server certificates can perform a man-in-the-middle-attack
- Ensure that Internet browsers are set to check for revoked certificates
- Browsers on Linux platforms could be vulnerable
- Third-party code using Python/Ruby/Perl OpenSSL libs may be vulnerable
- Windows programs linked against vulnerable versions of OpenSSL may be vulnerable
- Applications using OpenSSL 1.0.1
- Internet Explorer, Firefox, Chrome: all use the Windows Crypto implementation
- Internet Information Server
- Applications using OpenSSL 1.0.1g or later
More reading (there's plenty more to choose from) -|
Late edit : quote from Googleperson -
Google spokeswoman Dorothy Chou specifically said: "Google users do not need to change their passwords."
Note, this leaves the position unclear for GMail users. Better safe than sorry : change your GMail password(s) now.