Greg Freemyer wrote:
Just changing the subject line and re-sending. The old subject implied it was openSUSE 12.1 specific.
This is likely the biggest security event in the Internet's history. 99% or more of all Internet users will have to develop their own PERSONAL remediation plan and follow it.
That is true of Google/Amazon/etc., but it also includes every user that conducts secure transactions across the Internet. Think about and banks, stores, ISPs, SAAS providers, etc. you interact with.
Most problematic will be the 70+ year old that manages their financial holdings via the Internet. They need to follow steps to ensure everything they thought was secure last week is still believed secure this week.
The 70+ year old who is aware is not the biggest problem. Even more problematic will be all the other people who are unaware.
I don't even know enough yet to implement my own remediation plan, but here's a 3-line example out of it:
1 - change bank online password immediately 2 - verify bank was either never susceptible to the heartbleed bug, or that they have remediated it. 3 - once 2) is done, change the password again since it may have been breached between steps 1 & 2.
Fortunately, my e-banking password is never transmitted over the net. Same for my on-line stock trader. Plenty of other places though. On-line postage stamps generation, domain registration, miscellaneous online shops, admin portals etc. etc.
As users of the internet, this bug means everything transferred across the internet in the last 2 years that depended solely on SSL for security should be considered potentially breached. That assumes the server end of the connection was running a vulnerable version of openSSL, but as normal users you have to assume that. That means the best practice for all users (including MS users) is to change all passwords used on the internet and watch credit info closely. Then give your internet providers (isps/SAAS providers/banks/stores/auction sites) some time to fix their end and do it all again. I don't know how to test those providers to see if they are secure or not. I'm sure guidance will be forthcoming.
Maybe: https://github.com/musalbas/heartbleed-masstest
Assuming you are running a server serving encrypted data via openSSL:
meaning e.g. apache, openvpn, sshd, postfix (and exim et al), dovecot etc. -- Per Jessen, Zürich (11.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org