IF they're being truthful about getting no response from Apple about it, that is disgusting. The amount they charge for their hardware, you'd think they'd want to let their customers know what's going on. You can tell a lot by a company's response to something serious.
Apple never respond to questions about security anyway so them being tight lipped is nothing unusual
Their customers do not mind, maybe they even like being treated a bit roughly
I bet a few of the Apple customers like a bit of S&M action as they certainly have to pay for the privilege of being ignored and treated like dirt while handing over the crisp 50's
I'm a very anxious person, would it affect my iPad as I do everything on my iPad and I don't expect to go on gmail tomorrow and find all my holiday info deleted......
I'm a very anxious person, would it affect my iPad as I do everything on my iPad and I don't expect to go on gmail tomorrow and find all my holiday info deleted......
The problem is all server side so theres nothing you can do about it as such and until the server side problems are sorted you can never be sure but realistically the chance of getting your data slurped is low but i'd imagine googles already patched or will be very soon as they use a lot of their own code rather than open source
I'm a very anxious person, would it affect my iPad as I do everything on my iPad and I don't expect to go on gmail tomorrow and find all my holiday info deleted......
No, it does not do anything malicious with a client computer. It "just" extracts information from the servers, which is a bit random, so it would be a big coincidence if somebody already got your user name and password. It would be up to hackers what they would do with it. Google is patched already, so it should be safe, now. Thinking of Gmail, I have it set on polling on several clients, so it might be best to change the password :kitty:
Google's already patched yeah. Their statement was a bit weird actually.
They still use relatively old certificates, 12.3.2014, but maybe they found out a lot sooner before they announced the problem. Maybe they did a bit of "research" themselves, too. They act as a certification authority for their own sites, so it should cost them nothing to update them.
No, it does not do anything malicious with a client computer. It "just" extracts information from the servers, which is a bit random, so it would be a big coincidence if somebody already got your user name and password. It would be up to hackers what they would do with it. Google is patched already, so it should be safe, now. Thinking of Gmail, I have it set on polling on several clients, so it might be best to change the password :kitty:
With Gmail, I have a 6 digit code that is sent to my phone.
They still use relatively old certificates, 12.3.2014, but maybe they found out a lot sooner before they announced the problem. Maybe they did a bit of "research" themselves, too. They act as a certification authority for their own sites, so it should cost them nothing to update them.
That is broadly in line with what they said. It was a Google security researcher that found it.
I don't believe they would have sat on it for long. But they may have sorted their own shit, then passed it on. Seems like a month might be about right.
With Gmail, I have a 6 digit code that is sent to my phone.
Thanks for your help :-)
Then as for Gmail you should be safe regardless of this whole affair, probability that somebody could guess that code is close to zero, provided Google blocks an account after several invalid codes.
I think that has always been an advice, wait for the patch, then change passwords. I think it would be a good time to switch to two step login if available. BTW I like that this article emphasises that patching the code isn't enough, new certificates are necessary as the old ones could have been compromised. You do not see much about that elsewhere.
"Risk to users exist until organisations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs," says Trey Ford, global security strategist at Rapid7. "Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website"
OS X is based on Linux and I am sure they like to keep their infrastructure up to date. They don't use IIS from MS, it's not good for image if nothing else. I think it's very likely Apple had the vulnerability. Paradoxically it's those lazy to update their systems that are safe now.
OS X is based on Linux and I am sure they like to keep their infrastructure up to date. They don't use IIS from MS, it's not good for image if nothing else. I think it's very likely Apple had the vulnerability. Paradoxically it's those lazy to update their systems that are safe now.
Nope.
Apple today released a statement to Re/code confirming that iOS, OS X and "key web services" were unaffected by the widely publicized security flaw known as Heartbleed which was disclosed earlier this week.
It's a vulnerability that has been identified. There are, as yet, no reports of anyone falling victim to it, as far as I can tell.
Lastpass security told me to change two of my passwords (Pocket and Yahoo) and to 'wait' on six others, presumably awaiting the issue of new certificates. All other sites (I use) were deemed OK.
Well I've changed four passwords - Google, Yahoo, Instagram and Facebook.
Hope I wasn't premature?
Blasted nuisance having to fiddle around with mobile phone settings. :mad:
They still use relatively old certificates, 12.3.2014, but maybe they found out a lot sooner before they announced the problem. Maybe they did a bit of "research" themselves, too. They act as a certification authority for their own sites, so it should cost them nothing to update them.
That is broadly in line with what they said. It was a Google security researcher that found it.
I don't believe they would have sat on it for long. But they may have sorted their own shit, then passed it on. Seems like a month might be about right.
I find Google's actions odd.
It has said it updated its systems, and it clearly did it promptly as it was negative on all scanners when the shit hit the fan... Yet it has not yet bothered to change any certificates? Unless you're right and it patched itself a month ago when it changed its certificates?
And despite needing to update its systems, it has told Reuters that people don't need to change their passwords. Why say that if it has applied the patch? Just an *assumption* that patching before going public means there is zero risk?
I'm going to go with the Mashable list, I think, as a starter.
MS, Apple, Amazon, PayPal etc. can be left for now while I concentrate on Google, Yahoo, Facebook, Twitter etc.
If a site has been patched, I will change my password, even if like Google or Twitter they claim that there's no need to change passwords or they were unaffected by the vulnerability.
It's a vulnerability that has been identified. There are, as yet, no reports of anyone falling victim to it, as far as I can tell.
Many Yahoo passwords were apparently stolen on Tuesday...
It was the most major site that was not already patched when the vulnerability was made public.
Use of the vulnerability exploded when it went public, with quick and easy automated scripts being posted online allowing anyone to try it out on any site they wanted.
The whole thing is being blown well out of portion and the main stream should feel ashamed for the scaremongering it has done.
Yes it's a bad bug and yes there is poc code of people getting passwords but the actual chances of the of the private key being in the memory location copied or of YOUR password and username being there is fairly slim. It reads like it sends the whole memory back but it doesn't and even it did it would only be for OpenSSL so you would have to be logging as they sent the heartbeat.
Also, if they got the private key they would still need to capture the whole session of packets you sent/received to the server to decrypt your information because SSL uses a session key. So the private key can only be used to decrypt the session keys.
A lot of things have to line up for you to be affected by this. Bad but not the end of the world people are making out.
Comments
Apple never respond to questions about security anyway so them being tight lipped is nothing unusual
but no less unacceptable.
Precisely. It doesn't take anything away from the fact that it's a very arrogant attitude to have when you're running a business.
Their customers do not mind, maybe they even like being treated a bit roughly
I bet a few of the Apple customers like a bit of S&M action as they certainly have to pay for the privilege of being ignored and treated like dirt while handing over the crisp 50's
The problem is all server side so theres nothing you can do about it as such and until the server side problems are sorted you can never be sure but realistically the chance of getting your data slurped is low but i'd imagine googles already patched or will be very soon as they use a lot of their own code rather than open source
No, it does not do anything malicious with a client computer. It "just" extracts information from the servers, which is a bit random, so it would be a big coincidence if somebody already got your user name and password. It would be up to hackers what they would do with it. Google is patched already, so it should be safe, now. Thinking of Gmail, I have it set on polling on several clients, so it might be best to change the password :kitty:
They still use relatively old certificates, 12.3.2014, but maybe they found out a lot sooner before they announced the problem. Maybe they did a bit of "research" themselves, too. They act as a certification authority for their own sites, so it should cost them nothing to update them.
With Gmail, I have a 6 digit code that is sent to my phone.
Thanks for your help :-)
That is broadly in line with what they said. It was a Google security researcher that found it.
I don't believe they would have sat on it for long. But they may have sorted their own shit, then passed it on. Seems like a month might be about right.
Then as for Gmail you should be safe regardless of this whole affair, probability that somebody could guess that code is close to zero, provided Google blocks an account after several invalid codes.
how typical of you too lol
I think that has always been an advice, wait for the patch, then change passwords. I think it would be a good time to switch to two step login if available. BTW I like that this article emphasises that patching the code isn't enough, new certificates are necessary as the old ones could have been compromised. You do not see much about that elsewhere.
"Risk to users exist until organisations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs," says Trey Ford, global security strategist at Rapid7. "Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website"
You're right in the sense that last time apple failed to communicate the details of a major security problem I was also critical.
Nope.
I'm none the wiser.
I wouldn't be arsed about osx. It's iTunes, me.com email, cloud etc.
Lastpass security told me to change two of my passwords (Pocket and Yahoo) and to 'wait' on six others, presumably awaiting the issue of new certificates. All other sites (I use) were deemed OK.
Hope I wasn't premature?
Blasted nuisance having to fiddle around with mobile phone settings. :mad:
I find Google's actions odd.
It has said it updated its systems, and it clearly did it promptly as it was negative on all scanners when the shit hit the fan... Yet it has not yet bothered to change any certificates? Unless you're right and it patched itself a month ago when it changed its certificates?
And despite needing to update its systems, it has told Reuters that people don't need to change their passwords. Why say that if it has applied the patch? Just an *assumption* that patching before going public means there is zero risk?
www.reuters.com/article/2014/04/09/us-cybersecurity-internet-bug-idUSBREA3804U20140409
I'm going to go with the Mashable list, I think, as a starter.
MS, Apple, Amazon, PayPal etc. can be left for now while I concentrate on Google, Yahoo, Facebook, Twitter etc.
If a site has been patched, I will change my password, even if like Google or Twitter they claim that there's no need to change passwords or they were unaffected by the vulnerability.
"key web services"
http://recode.net/2014/04/10/apple-says-ios-osx-and-key-web-services-not-affected-by-heartbleed-security-flaw/
Many Yahoo passwords were apparently stolen on Tuesday...
It was the most major site that was not already patched when the vulnerability was made public.
Use of the vulnerability exploded when it went public, with quick and easy automated scripts being posted online allowing anyone to try it out on any site they wanted.
Yes it's a bad bug and yes there is poc code of people getting passwords but the actual chances of the of the private key being in the memory location copied or of YOUR password and username being there is fairly slim. It reads like it sends the whole memory back but it doesn't and even it did it would only be for OpenSSL so you would have to be logging as they sent the heartbeat.
Also, if they got the private key they would still need to capture the whole session of packets you sent/received to the server to decrypt your information because SSL uses a session key. So the private key can only be used to decrypt the session keys.
A lot of things have to line up for you to be affected by this. Bad but not the end of the world people are making out.