- All affected sites need need to update OpenSSL, reissue certs, tell users to update their passwords.
- All users need to reset their passwords, using a unique password for each site if possible. If they can't feasibly use unique passwords for each site, they need to make sure they don't use their new password on sites that aren't fixed yet.
That's pretty crazy, and getting anything close to 100% compliance is going to require a ton of visibility.
Someone should make a browser extension as quickly as possible to tell users if they're visiting a yet-unfixed site.
The problem is also that as long as a vulnerable site is not fixed, users should not attempt to login or interact with such site while logged in. Such interactions increase chances that users' cookies or passwords will be in servers memory.
That's a bit unworkable, particularly as you can get many sites to load a user into memory by putting a post-auth URL into an IMG tag anywhere on the Internet. Your browser will obediently GET that URL, passing along the session cookie to the legitimate server, where it will then be exfiltrated via heartbleed.
Basically: this vulnerability must be patched, or the server must be taken offline, and that needs to happen everywhere.
> Basically: this vulnerability must be patched, or the server must be taken offline, and that needs to happen everywhere.
No one is arguing against that. The point is that from the user's point of view, they shouldn't interact with a server at all if it is still vulnerable to this attack.
And how would a browser extension do that reliably? Someone who has exploited a Bleeding Heart server would have their cert and could then impersonate the server using a patched OpenSSL.
Recovery should also probably include nuking all current sessions, as any session key created prior to updating is potentially compromised and would remain so after the update.
- All affected sites need need to update OpenSSL, reissue certs, tell users to update their passwords.
- All users need to reset their passwords, using a unique password for each site if possible. If they can't feasibly use unique passwords for each site, they need to make sure they don't use their new password on sites that aren't fixed yet.
That's pretty crazy, and getting anything close to 100% compliance is going to require a ton of visibility.
Someone should make a browser extension as quickly as possible to tell users if they're visiting a yet-unfixed site.