<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
Most of the "secure" web sites you use have been <b>broken for
the last two years</b>. Bruce Schneier says the OpenSSL
"Heartbleed" bug disclosed yesterday, on a scale of 1 to 10, is an
11, "<a
href="https://www.schneier.com/blog/archives/2014/04/heartbleed.html">catastrophic</a>."
I recommend James Fallows' <a
href="http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/">coverage</a>
at the Atlantic. <a
href="http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/">Arstechnica</a>
is even better, they demonstrate the exploit against yahoo.com.<br>
<br>
If you bank online, you need to check your bank's site with
something like <a href="http://filippo.io/Heartbleed/">this</a>,
and change your password. Change it now, then check the site. If
the check fails, check it again later, and change your password <i>again</i>
when it passes.<br>
The first change neutralizes your password which <b>was probably
stolen</b> during the last two years. The second neutralizes
the new one that was stolen yesterday before your bank fixed its
server. Now that the bug is public, you can safely assume <b>all</b>
unpatched sites are compromised.<br>
If you run an HTTPS web server, you need to update it, and then
you need to get a new cert. That's what your bank needs to do.<br>
If someone else runs an HTTPS web server for you, check it. If
it's broken and they don't fix it soon, change providers.<br>
<br>
Forward as you see fit.<br>
<br>
-<i>Cameron</i><br>
<br>
<br>
</div>
</body>
</html>