I'm just wondering; I might want to protect myself and change the password because the OpenSSL bug is affecting everyone....
3 years, 6 months ago
The short answer is: it was vulnerable, but we fixed it, and you probably don't have to worry about it (on our site).
Yes, brilliant.org was one of the sites that used a vulnerable version of openssl, but we patched it and have changed the ssl cert (in case it was compromized) and all of the administrators have changed their passwords (as a precaution).
We don't believe that any information was nefariously gained as a result of this bug but it's very hard to detect so we can't be sure. If you would like to change your password, you are more than welcome to. If you choose to change your password, we would of course encourage you to always use best practices (such as using unique passwords for every site you go to so that if one of the sites has a security breach, the attacker doesn't immediately have access to all of your accounts on other sites). I personally use KeePass/KeePassX (on ubuntu)/KeePassDroid (on Android) along with dropbox so that I don't have to remember hundreds of passwords, I only need to remember one very strong password.
My general advice for navigating heartbleed is, check if a site you plan to visit is vulnerable using one of the tools out there, (this is the fastest I've encountered). If it is vulnerable, don't visit it and definitely don't log into it until it is patched (as long as it isn't patched, a third party may be able to retrieve your username/password/other sensitive information as it transfers through the server that has the vulnerable version of openssl). If you know that a service that you use has been affected, and has recently been patched, it is usually safe to use the site as normal, and if you want to be safe, you can change your password (but not until the site has been patched).
Finally, the last note about this bug is that while a server is vulnerable, it's possible for an attacker to grab the main encryption key from the server while the server is unpatched, which means they could use that to decrypt future traffic until the encryption key is replaced even after the vulnerability is fixed. If you want to be sure that a site which was at one point vulnerable, is now fully secure, you can check the ssl certificate information to see if it was issued since the bug was discovered, though apparently this won't be 100% accurate since it's possible to back-date when a cert is issued, so if you want, you may want to contact the site owner to verify that they have replaced the certificate, rather than assume it's not fixed. Also, if you aren't sure if a service was ever vulnerable or not, perhaps give them the benefit of the doubt since there is no point in reissuing/revoking ssl certificates if they weren't used with vulnerable versions of openssl. It seems like all of the banking websites that I checked (just a few) use older versions of openssl (or maybe even other ssl implementations) that were never vulnerable to this bug.
Log in to reply
Thanks a lot! @Sam Solomon