So to put this in a way that the average person would understand and be concerned about, would it be recommended that any Google/Gmail users change their current passwords?
News articles on Heartbleed are suggesting users change their passwords at sites that have patched this vulnerability. Is Google recommending Google Apps and other users change their account passwords?
How do we know your SSL certificates aren't compromised? Did you replace them after patching? The certificate for mail.google.com says it was issued on April 2, and Heartbleed wasn't announced to the public until the 8th.
In addition to patching OpenSSL, can you confirm if you've acquired new certificates, generated and deployed new SSL keys, and revoked old keys and certs?
Are SMTP and POP now safe? I use them to read my gmail but I've been holding off.
Also, can you tell me if gmail was updated by around Tuesday at 8pm UTC time (around 1pm Pacific)? That's when I changed my password, and I'm wondering if I need to do it yet again.
Thank you!
I posted this on the uk site also before finding this one. Sorry for double-posting.
Heartbleed was publically announced recently. If Google's SSl implementation was vulnerable at ANY point, passwords could have been caputred. There is no indication that this vulnerability was not privately known prior to the public announcement. Would it not be prudent to change your passwords, regardless?
Changing your passwords before a service is patched (fixed) is kinda pointless. You would be better off waiting until the services you use are fixed. I'm giving it a week or so before I go change my passwords. Meanwhile I will not be logging on to any services that have payment details linked to them. It is quite possible that the hacking community (yeah, they like to call themselves a community) did not learn of this vulnerability. If they had they would have exploited it heavily and it would probably have been detected much sooner. Much in the same way that if thieves kept stealing your stuff all the time you would probably soon realise that you had left the back door open. Now that the cat is out of the bag however, thieves and hackers (same thing?) have a short window of opportunity to exploit this vulnerability before the door is slammed shut.
So after you patch all your systems only then you should inform the users to change their passwords. Until then a user changing his account passwords is basically a waste of time!
Even if Google say that it is safe and totally trust them, do you want to take that risk anyway?
According to the public website providing lot of information (http://heartbleed.com/) there's no way to detect such attacks, and knowing the bug has been there for the last two years, well you should totally change your passwords whatever Google, Facebook or Microsoft tell you, but not point to change them if the service/website is not patched yet.
I have to agree with the post from 'Cyber Security Professional'. Just change your passwords. It is the only way you will be able to stop worrying about it. It sure is a hassle to change all my passwords, but still way less of a hassle than trying to recover from identity theft.
Google stock Android 4.3 seems to be affected, too... Heartbleed Detector App detects OpenSSL version 1.0.1e and warns to be affected by the bug! Running on Galaxy Nexus / Baseband version I9250XXLJ1 / Kernel version 3.0.72-gfb3c9ac / Build number JWR66Y
I also saw the quote from Google on the ABC News article saying "They later added to their statement saying that, "The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords." "
Now come on. All of us just read about this bug. We know Google used OpenSSL, and apparently the versions that were vulnerable since they said they applied patches, and if we logged in during the vulnerable period then our password is at risk. If there was an exploit running (well we know there were exploits from the proofs of concept, just don't know if there were big ones), then our passwords could be in someone's hands. And less likely but maybe more scary, if someone is storing net traffic and was able to get the certificates as Codenomicon says they were able to do, then lots of our previous communication (and password) could be decrypted.
Maybe Google wants to wait until they know everything needed is patched before asking users to change their passwords. If so, it would be nice to tell us that.
Or, if Google really thinks the risk is so low that changing passwords is not required, then please tell us that as well and give us reasons.
This post lists numerous services that were patched, but it also states "we are still working to patch some other Google services".
Given the amount of time that has passed since the article was written, I would guess that all services have been patched now. That said, confirmation from Google that this is the case would be welcome.
Any chance Google can release a Heartbleed patch app directly to users? Many (most?) device vendors have completely abandoned their devices that are currently running Android 4.1.1 (I'm looking at you, Kobo...)
Google should look at establishing an update service for Android devices that's independent of device vendors, as vendors typically don't take any responsibility for updating their devices once they've got the consumers' cash. Even if such a service only offered device-agnostic security fixes it would be very valuable.
Gmail Password reset is very competitive solution without any detail for any technician, but dont worry it not impossible our technician can reset gmail password without any account detail - http://lnkd.in/b4mTKYD
Great post, but the time is administered for you priority, and this are changes every day, of course there are many distractions, for waste you time. The Bag Nag
@Dave Watts - can you point to any statement from Google that the Google Mini is not affected? My organization's security folks just flagged my mini - I need all the ammunition I can get to resist their urge to block it!
I am impressed from the post of cyber security post. Today it is very important for all of us to have fully protect from cyber disadvantages. In present it is increasing so highly.
@Michael Tilley - I don't know if there's a public statement by Google Enterprise about the Google Mini here. But only certain versions of the GSA software are vulnerable. They're the versions that include OpenSSL 1.0.1a through 1.0.1f.
OpenSSL 1.0.1a was released on 19 April 2012, according to the OpenSSL changelog. The latest version of the Mini runs GSA 5 software, which significantly predates that. So, unless Google has time-travel technology, you're safe from this problem with the Mini.
You can easily check the status of an individual server using free tools. I suggest you use one of those.
I wrote an overview post about Heartbleed, with a little bit about the GSA and the testing tools I just mentioned. You can read it here:
Follow
36 comments :
What about the older mini Google Search Appliances (GSA)? Is there a patch being worked on for these as well?
So to put this in a way that the average person would understand and be concerned about, would it be recommended that any Google/Gmail users change their current passwords?
News articles on Heartbleed are suggesting users change their passwords at sites that have patched this vulnerability. Is Google recommending Google Apps and other users change their account passwords?
Can you tell us when Gmail, Wallet, search and other key services were patched?
How do we know your SSL certificates aren't compromised? Did you replace them after patching? The certificate for mail.google.com says it was issued on April 2, and Heartbleed wasn't announced to the public until the 8th.
In addition to patching OpenSSL, can you confirm if you've acquired new certificates, generated and deployed new SSL keys, and revoked old keys and certs?
Do I have to change my password?
Are SMTP and POP now safe? I use them to read my gmail but I've been holding off.
Also, can you tell me if gmail was updated by around Tuesday at 8pm UTC time (around 1pm Pacific)? That's when I changed my password, and I'm wondering if I need to do it yet again.
Thank you!
I posted this on the uk site also before finding this one. Sorry for double-posting.
A recent ABC News article quotes an email from Google saying that users do not need to change their passwords.
Is that Google's official word on the matter? I've had a hard time finding an official statement on your site.
Heartbleed was publically announced recently. If Google's SSl implementation was vulnerable at ANY point, passwords could have been caputred. There is no indication that this vulnerability was not privately known prior to the public announcement. Would it not be prudent to change your passwords, regardless?
Cyber Security Professional
Changing your passwords before a service is patched (fixed) is kinda pointless. You would be better off waiting until the services you use are fixed. I'm giving it a week or so before I go change my passwords. Meanwhile I will not be logging on to any services that have payment details linked to them. It is quite possible that the hacking community (yeah, they like to call themselves a community) did not learn of this vulnerability. If they had they would have exploited it heavily and it would probably have been detected much sooner. Much in the same way that if thieves kept stealing your stuff all the time you would probably soon realise that you had left the back door open. Now that the cat is out of the bag however, thieves and hackers (same thing?) have a short window of opportunity to exploit this vulnerability before the door is slammed shut.
So after you patch all your systems only then you should inform the users to change their passwords. Until then a user changing his account passwords is basically a waste of time!
@Blair Mansell - the Mini is not affected by this, as it has an older version of OpenSSL. The exploit only affects OpenSSL 1.0.1a through 1.0.1f.
Even if Google say that it is safe and totally trust them, do you want to take that risk anyway?
According to the public website providing lot of information (http://heartbleed.com/) there's no way to detect such attacks, and knowing the bug has been there for the last two years, well you should totally change your passwords whatever Google, Facebook or Microsoft tell you, but not point to change them if the service/website is not patched yet.
I have to agree with the post from 'Cyber Security Professional'.
Just change your passwords. It is the only way you will be able to stop worrying about it. It sure is a hassle to change all my passwords, but still way less of a hassle than trying to recover from identity theft.
Google stock Android 4.3 seems to be affected, too...
Heartbleed Detector App detects OpenSSL version 1.0.1e and warns to be affected by the bug!
Running on Galaxy Nexus / Baseband version I9250XXLJ1 / Kernel version 3.0.72-gfb3c9ac / Build number JWR66Y
I also saw the quote from Google on the ABC News article saying "They later added to their statement saying that, "The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords." "
Now come on. All of us just read about this bug. We know Google used OpenSSL, and apparently the versions that were vulnerable since they said they applied patches, and if we logged in during the vulnerable period then our password is at risk. If there was an exploit running (well we know there were exploits from the proofs of concept, just don't know if there were big ones), then our passwords could be in someone's hands. And less likely but maybe more scary, if someone is storing net traffic and was able to get the certificates as Codenomicon says they were able to do, then lots of our previous communication (and password) could be decrypted.
Maybe Google wants to wait until they know everything needed is patched before asking users to change their passwords. If so, it would be nice to tell us that.
Or, if Google really thinks the risk is so low that changing passwords is not required, then please tell us that as well and give us reasons.
Check out http://www.gnupg.org or just go Google :)
Google has security whitepapers in case you dont notice, they're the specialists when it comes to this I believe. Just read what the blog says.
2 options: http://www.gnupg.org or just go Google since they are implementing countermeasures as well as everyone here obviously :)
Can we have this clarified please? "patching information for Android 4.1.1 is being distributed to Android partners"
I own a MachSpeed Trio stealth G2 tablet, and according to them as of today (4/14/2014) they are still waiting to even hear about a patch..
"All versions of Android are immune" means ALL versions of android of all-of-versions-still-being-maintained-by-google (which is like, only 4+?)
should 2.3 and such be safe?
motorola razr maxx still runung on 4.1.2 who's fault is it?
As does 4.4.2
wow, i don't see any update for my samsung galaxy s3 yet :'(
This post lists numerous services that were patched, but it also states "we are still working to patch some other Google services".
Given the amount of time that has passed since the article was written, I would guess that all services have been patched now. That said, confirmation from Google that this is the case would be welcome.
Thank you.
Any chance Google can release a Heartbleed patch app directly to users? Many (most?) device vendors have completely abandoned their devices that are currently running Android 4.1.1 (I'm looking at you, Kobo...)
Google should look at establishing an update service for Android devices that's independent of device vendors, as vendors typically don't take any responsibility for updating their devices once they've got the consumers' cash. Even if such a service only offered device-agnostic security fixes it would be very valuable.
OpenVPN is also affected by Heartbleed bug
see: http://arstechnica.com/security/2014/04/heartbleed-exploited-to-hack-network-with-multifactor-authentication/
I am searching this related stuff from long time.Now I can solve my problem from here.Thanks for sharing this great post with us.
Chemical Flow Meter
thanks for information
AMIRA MSOD
Gmail Password reset is very competitive solution without any detail for any technician, but dont worry it not impossible our technician can reset gmail password without any account detail -
http://lnkd.in/b4mTKYD
Great post, but the time is administered for you priority, and this are changes every day, of course there are many distractions, for waste you time.
The Bag Nag
I would also like to know the status of the Google mini.
@Dave Watts - can you point to any statement from Google that the Google Mini is not affected? My organization's security folks just flagged my mini - I need all the ammunition I can get to resist their urge to block it!
I am impressed from the post of cyber security post. Today it is very important for all of us to have fully protect from cyber disadvantages. In present it is increasing so highly.
Latest News Article
@Michael Tilley - I don't know if there's a public statement by Google Enterprise about the Google Mini here. But only certain versions of the GSA software are vulnerable. They're the versions that include OpenSSL 1.0.1a through 1.0.1f.
OpenSSL 1.0.1a was released on 19 April 2012, according to the OpenSSL changelog. The latest version of the Mini runs GSA 5 software, which significantly predates that. So, unless Google has time-travel technology, you're safe from this problem with the Mini.
You can easily check the status of an individual server using free tools. I suggest you use one of those.
I wrote an overview post about Heartbleed, with a little bit about the GSA and the testing tools I just mentioned. You can read it here:
http://blog.figleaf.com/2014/04/my-heart-bleeds-for-you-security-wise.html
Post a Comment