don't worry.seeing that no major bank & financial institution is in the list of major known affected sites chances are Indian banks are safe too.otherwise we would be getting messages in our online bank account & sms to change our passwords.
The Heartbleed Bug
amjath
Human Spambot
Are you sure you thought?*bought
- - - Updated - - -
Edit: Important
Received a mail from McAfee Today. They provided a tool/link to find the vulnerability. So who is looking for vulnerabilty check on indian sites and servers can check here
*tif.mcafee.com/heartbleedtest?utf8...HWG3bkxzhRvJwHTXvDhhHr!-398013275&commit=Scan
- - - Updated - - -
Update:
Google fixed their servers, change your passwords
*www.engadget.com/2014/04/09/google-heartbleed-patch-info/
anirbandd
Conversation Architect
How come?? Banking sites use the same OpenSSL, no??
no.SSL is a protocol like http & openSSL is an application like browser.just because a browser has a vulnerability(say firefox) does not mean another browser(say chrome) too will have the same vulnerability even if they both use http.most banks rely on 3rd party vendors & proprietary softwares(e.g.many indian banks use infosys's Finacle software) which are exact opposite of open source softwares like openSSL.
anirbandd
Conversation Architect
yes.sometimes using a software that costs money is more secure than using a free open source software.this is the main reason why most banks/financial institutions don't use free security softwares.
they use SSL just as openSSL use SSL but in a different manner.it is like how both crome & firefox use different ways to render same web page using http.
any software application that handles SSL in a manner different from openSSL is safe from heartbleed bug at least.SSL is a protocol & is safe,it is the software openSSL which use SSL that is affected by this bug.
SaiyanGoku
kamehameha!!
So we really need to change them after the patch?
not officially unless you get a notification to change password after you login.it is though advisable to change it just in case.
amjath
Human Spambot
Yes every site says so. If u change before fix the new password is still vulnerable
it is like "Park your vehicles are your own risk" . They will not notify you but U should
- - - Updated - - -
Yahoo also patched their server
well the policy is to notify.every email/website does this whenever there is a data breach as it is required under laws(& not the indian ones which can be lax).in yahoo mail you can not even proceed without changing password but no such thing with gmail.just because heartbleed bug was there doesn't mean anyone with even above average hacker skills can take advantage of it.it takes some really good skills & lots of resources to take advantage of this vulnerability & nobody is going to waste them on email accounts of typical users.i agree it is good practice to change even google password but my assumption is that chances of your google password leaking because of some malware/site you visit are much higher than because of hearbleed bug.
gameranand
Living to Play
What the $hitty hell is this. The sites mentioned there, I use some of them regularly. Well its a good thing that I always use Lastpass, dunno if it kept me safe or not but damn, they took friggin 3 years to find this bug and we were unprotected for 3 years. What the hell are these companies paying to their security experts or they are even paying or not. God help me.
don't worry too much.chances are if companies like google couldn't find it then hackers too missed it.some say NSA knew but then in a way your data in NSA hands is much better than in hands of some hacker.banking/financial institutions are mostly unaffected.also see my earlier post.
anirbandd
Conversation Architect
chillax.. its an open source application. its free.
- - - Updated - - -
i would bet on that. black hats have extraordinary line of thoughts.
- - - Updated - - -
legit white hats hardly think like the black hats. they just don not have the experience.
Inceptionist
Journeyman
Can we get a list of Indian sites affected by this? The lists on the Internet focus on US sites mostly.
anirbandd
Conversation Architect
i bet TDF forum was NOT affected.
- - - Updated - - -
on a serious note,
- - - Updated - - -
UPDATE:
here is a link to a list of tested sites.
citibank, onlinesbi, icici, hdfc etc.. they dont use SSL??
- - - Updated - - -
on a serious note,
- - - Updated - - -
UPDATE:
here is a link to a list of tested sites.
Code:
*github.com/musalbas/heartbleed-masstest/blob/master/top1000.txtcitibank, onlinesbi, icici, hdfc etc.. they dont use SSL??
no one is going to target small indian sites(compared to their international counterparts).as for black hat/white hat argument there is not much difference between them.many times black hats work as white hats & white hats work as black hats.do not be under the impression that you can be a good hat(white or black) by following only "legitimate" methods.