Flaw Found in Key Method for Protecting Data on the Internet.
Source: nyt
The tiny padlock next to web addresses that promised to protect our most sensitive information passwords, stored files, bank details, even Social Security numbers is broken.
A flaw has been discovered in one of the Internets key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.
On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.
The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google.
Read more: http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/?hp
phantom power
(25,966 posts)1StrongBlackMan
(31,849 posts)hack that and hack the world ... at least my little portion of it.
Ruby the Liberal
(26,219 posts)if the sites you log into haven't updated their SSL? They are still vulnerable and you just opened up your new password to the hole.
dixiegrrrrl
(60,010 posts)fogot to add:
i said fuck it a long time ago.
Anything I order on line is protected by my credit card, they will pay for losses, I won;t, if I report it promptly at next statement.
Let Amazon worry about thier sieve like security.
Harrumph!
bemildred
(90,061 posts)truedelphi
(32,324 posts)Sites. Do I need to call both of them to see if they have fixed the flaw on their end?
And am I at risk even if they have? I mean, is it only affecting the websites that host other websites, or does it affect individual websites?
bemildred
(90,061 posts)I'd call them if I was you. Then I'd do what they tell you to. And not until then, would I do anything that requires encryption (HTTPS:// type things, encrypted email, passwords for accounts you don't want hacked, etc.)
This was coming anyway with the heightened security concerns in the post-Snowden era.
truedelphi
(32,324 posts)Good advice about waiting to see what they say with regards to passwords etc.