Up to you. The bug has no impact on TV Tropes. It might matter in places where you use the https:// version of a url to log in.
Goal: Clear, Concise and Witty
NOT THE BEES
This
tool lets you test any site.
Most of the big ones fixed it almost immediately, though yahoo was slow on the uptake. Most smaller sites are corking it through messier means.
edited 9th Apr '14 8:44:17 PM by Pykrete
scratching at .8, just hopin'
All the sites I use regularly came up clean; should I change my passwords anyways?
Share it so that people can get into this conversation, 'cause we're not the only ones who think like this.
The overall recommendation is Yes - the vulnerability has been widespread for the better part of two years and leaves absolutely zero trace when exploited, so consider anything you used during those two years on a vulnerable site to be compromised. Alternatively, gamble that you and I are small-fry and not likely to be targets... but depending on what those passwords are securing, that could be exponentially more costly than an hour scouring for and changing passwords on anything important.
I've got one Yahoo account. It's used for only one thing. And, beyond that... the password is not shared. I'll wing it. 
Damn, now I have to find some new passwords that I'll be able to remember.
Though I doubt Microsoft servers use OpenSSL, there's still some precaution principle.
edited 10th Apr '14 1:37:44 AM by Medinoc
"And as long as a sack of shit is not a good thing to be, chivalry will never die."
HGW XX/7
![[up]](https://static.tvtropes.org/pmwiki/pub/smiles/arrow_up.png "[up]"){kind=icon}
But more vulnerable to dictionary attacks if the attacker knows you're following this advice.
edited 10th Apr '14 1:54:43 AM by Medinoc
"And as long as a sack of shit is not a good thing to be, chivalry will never die."
An even better way is to memorize a simple sentence, and then use the first letter of each word in the sentence.
So far as I can tell, there's no evidence that anyone has ever taken advantage of this.
It seems to me that when I checked, almost all of the sites I've visited are vulnerable when https:// is used. That's strange!
edited 10th Apr '14 8:04:33 AM by Angeldeb82
Lost in Space
Make sure the thing doing the checking is smart enough to recognize when a site doesn't have an https socket open (like this one), indicating that it doesn't accept SSL connections at all.
For my part, if the badguys have my info and are hacking my accounts, I'm pretty much hosed. There's far too much out there now and in the past for me to change it all. Then again, maybe it's time to invent a new password encoding scheme; I've been using the same one for decades.
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"
Besides the https ones, what others are affected by this?
Changed my passwords on almost all my https websites so far.
Lost in Space
Anything you did on a secure connection for the past two years might have been compromised. It's literally impossible to know what those things might be. The actual likelihood is far lower, though. How much lower depends on how widely known this exploit was in the hacker community.
edited 10th Apr '14 8:46:13 AM by Fighteer
"It's Occam's Shuriken! If the answer is elusive, never rule out ninjas!"![[tup]](https://static.tvtropes.org/pmwiki/pub/images/Thumbs_up_emoticon_3268.png "[thumb up]"){kind=small}
Zzzzzzzzzz
FYI: Sites you need to change your password on right now
This is not presented as an exhaustive list.
...if you don’t love you’re dead, and if you do, they’ll kill you for it.
This bug have been discovered now, but it actually existed for far longer, right? Doesn't that means that, if i never noticed anything weird, I shouldn't worry too much? Specially since I have no important data on the Internet anyway. Sure, I should change my password for future stuff, just to be sure, but I see no point in changing everything I ever had at this point.
As I understand the bug: if there exists a secure TLS connection between two sides, and if one side uses OpenSSL 1.0.1 older than 1.0.1g, then the other side may attack through the heartbleed bug. The attacking side may steal secrets, such as private keys, passwords, and credit card numbers.
While others worry about websites that run OpenSSL, I also worry about my computer. I have OpenSSL 1.0.1c, and if I use it to make connections, then attackers might heartbleed-steal secrets from me. Is my computer making such connections? The answer seems to be no.
- I use Chromium and Firefox. These web browsers use NSS, not OpenSSL, on my side. Websites cannot heartbleed-steal from these web browsers. I also have Lynx, a text-only web browser that uses OpenSSL. There is a risk that if I use Lynx, then evil websites might heartbleed-steal my cookies and information! Therefore, I will avoid using Lynx, which is easy, because I prefer Firefox.
- I run the Common Unix Printing System (CUPS), which uses OpenSSL. It only accepts local connections from my own computer. Attackers can't reach my printing system. There is no threat unless I want to heartbleed-steal from myself.
- I use ssh to copy files between computers. It uses OpenSSL, but not with TLS heartbeats. My ssh connections remain secure because the heartbleed bug does not affect them.
I find no need to patch OpenSSL at this time. Attackers might hit my computer, but they won't use the heartbleed bug to do so.
edited 10th Apr '14 11:07:35 AM by Kernigh
Other than changing my passwords, I'm not doing anything else. The only sensitive sites we visit belong to our bank, and if someone were messing with our accounts, I'm sure we would have noticed before now. Otherwise, it's more of a "identify theft" problem- someone getting enough info about you to pretend to be you. Not much to be done about it now, though.
Crazy Kiwi
demarquis gives good advice, here.
It's the system I use and always recommend to clients. For triple complexity, incorporate upper case and numbers (letter-number substitutions or random, the choice is yours); for quadruple complexity, throw in the relevant punctuation.
Song lyrics, poems, inspirational quotes - whatever flips your switch and is easy for you to remember.
Another tip I heard for those who have difficulty remembering lots of passwords and needs something that is unique for each site, is incorporate something about that site into a base password - "Bank.Iltlyl1d.79" for example.
Only you know which song/poem/quote you used, if/where you substituted numbers for letters, if/where you capitalised, where you put the site marker and what number(s)/punctuation you added.
It's never going to be perfect, but it's going to make it harder for people to brute force or dictionary attack.
edited 10th Apr '14 12:59:11 PM by Wolf1066
I was under the impression that the bug could only be triggered by a malicious client connected to a vulnerable server, not the reverse.
I tend to use the titles of songs or words with numbers at the beginning and at the end (or, alternatively, punctuation).
edited 10th Apr '14 1:40:11 PM by Quag15
I'm on Google Chrome, and I can't get on either Fanfiction.net or Mobile Fanfiction.net!
Do you think it's because of the Heartbleed bug? Because I think FFN uses Open SSL. And yet, my Yahoo account alerted me to a review somebody left on one of my FFN stories, so I dunno.
Whatever the problem is, I hope they fix it soon!
edited 10th Apr '14 1:55:45 PM by fruitstripegum
The Wanderer
I can access it just fine.
Eating a Vanilluxe will give you frostbite.
Well, whenever I try to access the homepage, a fanfic or an author's profile, it says "Something is interfering with your secure connection to www.fanfiction.net", and the server's certificate is invalid.
And I tried deleting the cookies on my browser, but it STILL doesn't work.
edited 10th Apr '14 3:23:25 PM by fruitstripegum
Well I'm doing usual with my Tumblr, when suddenly I and everyone got this message about saying that I should change my password. Turns out there's this bug in OpenSSL called Heartbleed
.
I'm a member of MANY things. Should I change all of my passwords?