So you think Heartbleed is over. Think again. Not only servers are affected. Clients too. And you need to tighten your security even more.
Basically it comes down to this:
Expect all sites using HTTPS to have been vulnerable, and all data you exchanged to be captured. Unless you can have hard proof they were not vulnerable, or the traffic was not captured. If you have not started changing passwords, private keys, credit card numbers, etc: do so now.
and
In layman’s terms/pictures: xkcd: Heartbleed Explanation.
If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).
Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.
Here are some interesting reads from last week: Read the rest of this entry »