Important password/security-related FYI Update!
Apr 12, 2014 9:42:44 GMT
Post by CharlieChomper on Apr 12, 2014 9:42:44 GMT
For some inexplicable reason, this hasn't been openly publicized but really should have been given the scope and ramifications/severity of the situation and how widespread it actually had been and what it affects. There was recently a critical security vulnerability found in a security layer that's used pretty much everywhere online that has been impacted by this bug as it forms the core of both SSL and TSL which remain at the core of the internet, especially on the security side of things (anywhere you typically will see "https" in turn has also been impacted).
Part of the issue is that while the group behind OpenSSL (where the bug existed) was already at work on a patch for this problem (although, it was still in "beta" stage and therefore not ready for release to the public yet) when a for-profit company not only announced they'd supposedly released their own patch for it for their clients that were using it and paying them (working from OpenSSL's guidelines on the patch) but further breached an understood rule that exists whenever such problems are found (and has always existed--and which they were well aware of at the time as they're a security firm), but went so far as to make public both the existence of this problem and all the information pertaining it therefore putting everyone at risk (as in every operating system, every browser, every server, every credit card processor, etc. in existence). There has always existed that understanding that if an issue is found (especially one as critical as this), the party responsible for maintaining/creating whatever it was (whether it's an operating system, app, piece of software, whatever and regardless of whether it's commercial or non-profit/open source) is not only notified of the issue but close to (or has already completed work on) a fix for it before allowing that information to be made public precisely to avoid users or anyone else from being put at risk due to the problem.
However, it also has since come out that this commercial company actually hasn't fully completed their patch either (and also strangely saw "nothing wrong" with what they did and failed to comprehend the full impact of their action to do so) and the end result for everyone concerned is that every software vendor, security firm, app creator, open source project, and anyone else directly impacted by this (not including users directly) had been scrambling at a feverish pace trying to patch their systems/software before this became an actual, very dangerous problem for users. Obviously between that and especially the company's mishandling of the information, it's not only earned them considerable wrath amongst the tech/techie communities along with the security groups but condemnation toward the company's perceived irresponsibility for having put users at such risk as well.
In the meantime, it's been suggested by the security groups to change your passwords for all accounts, in an attempt to minimize the prospect of an issue arising (or in case a site had been compromised and user information--including passwords--may have been stolen between the time the information was made public until the systems were patched).
Update: I have a link containing a list of all the sites that were known to be affected by this bug that should provide a much better idea into which sites you will need to change passwords for. I very strongly encourage anyone who hasn't changed their passwords on the affected sites to do so!
Part of the issue is that while the group behind OpenSSL (where the bug existed) was already at work on a patch for this problem (although, it was still in "beta" stage and therefore not ready for release to the public yet) when a for-profit company not only announced they'd supposedly released their own patch for it for their clients that were using it and paying them (working from OpenSSL's guidelines on the patch) but further breached an understood rule that exists whenever such problems are found (and has always existed--and which they were well aware of at the time as they're a security firm), but went so far as to make public both the existence of this problem and all the information pertaining it therefore putting everyone at risk (as in every operating system, every browser, every server, every credit card processor, etc. in existence). There has always existed that understanding that if an issue is found (especially one as critical as this), the party responsible for maintaining/creating whatever it was (whether it's an operating system, app, piece of software, whatever and regardless of whether it's commercial or non-profit/open source) is not only notified of the issue but close to (or has already completed work on) a fix for it before allowing that information to be made public precisely to avoid users or anyone else from being put at risk due to the problem.
However, it also has since come out that this commercial company actually hasn't fully completed their patch either (and also strangely saw "nothing wrong" with what they did and failed to comprehend the full impact of their action to do so) and the end result for everyone concerned is that every software vendor, security firm, app creator, open source project, and anyone else directly impacted by this (not including users directly) had been scrambling at a feverish pace trying to patch their systems/software before this became an actual, very dangerous problem for users. Obviously between that and especially the company's mishandling of the information, it's not only earned them considerable wrath amongst the tech/techie communities along with the security groups but condemnation toward the company's perceived irresponsibility for having put users at such risk as well.
In the meantime, it's been suggested by the security groups to change your passwords for all accounts, in an attempt to minimize the prospect of an issue arising (or in case a site had been compromised and user information--including passwords--may have been stolen between the time the information was made public until the systems were patched).
Update: I have a link containing a list of all the sites that were known to be affected by this bug that should provide a much better idea into which sites you will need to change passwords for. I very strongly encourage anyone who hasn't changed their passwords on the affected sites to do so!