As the media ramps up the hype on the new Heartbleed vulernability, Steve Gibson did a great Security Now Podcast #450, explaining the real issues. Here’s my take on what he said.
- There is no indication that the bad guys have used this vulnerability in the past two years.
- According to Netcraft, “the heartbeat extension was enabled on 17.5% of SSL sites.”
- Steve, “It is only for us, connections that we make from this point until the website has secured itself, that are at risk.”
- You can use LastPass or SSL Labs to check if a particular website is still at risk. If it is still at risk – don’t use it.
- Here’s the LastPass Test – https://lastpass.com/heartbleed/
- Me – If you are a LastPass user, LastPass has a Security check which will notify you of problem sites and where you need to change passwords.
- Change Chrome Settings to “Check for server revocation.” Notice that it is off by default.