Since this old thread was resurrected, has this site been compromised or deemed vulnerable at all by the Heartbleed bug?
I just fired up a packet capture while I logged in. The good news is Heartbleed isn't a worry. The bad news is the packet containing both my email and password was sent without using any encryption. Its wide open :(
in the process of changing all my passwords. You mind to put up a thread on Heartblled for us folks who do not understand what it and what isn't to be worried about.? Bobcats heartbleed for dummies style?
Its actually not the best idea to change your passwords right now. If you change your password on a site that is affected by Heartbleed but hasn't implemented the fix yet, you run the exact same risk as if you never changed it in the first place. However, I would recommend changing your BA password and making it different from any other password you use. I'm not an expert on security certificates, I work on network infrastructure, so I can't do the best job of breaking down exactly what Heartbleed does.
That being said, any "secure" connections that you make with a website will have some exchange of "keys" to encrypt and decrypt the data you're exchanging. When you establish the connection with the web server, you present a "public" key, and in return the web server extends its private key.
The private keys are the most important part of this process, and Heartbleed has made those exposed. By attaining a site's private keys, a hacker could intercept the data you were intending to send to the website, decrypt it (gaining all of your personal information) and forward it on to the website, completely undetected.
This is all irrelevant to BA though. Logging into the forum actually uses a completely unsecure connection. You can tell if a website you're using is secure by looking at the URL. Most of the time you see "http://", which is not secure but is appropriate for the majority of traffic. Any time you see "https://" the traffic is secure.
As I said earlier, changing your passwords is not necessary right now. Hearbleed does not grant hackers access to the servers that store your password, it enables them to intercept when you're authenticating your password. So, by changing your password on an affected site, they would get your old password by listening in when you logged in and also your new one when you change it.
You can use this link to find out if a site you want to use is affected.
filippo.io/Heartbleed/
Edit: I guess I should add that I don't plan on changing any of my passwords (including BA). I keep a close eye on my finances, so if some strange charges show up I'll change them. But the odds are pretty low.
Last Edited: 4/10/2014 3:25:18 PM by DallasCat