Theo weighs in on Heartbleed

I’ve been subjected to a fair bit of hysteria about the heartbleed vulnerability in OpenSSL. While it’s admittedly a severe problem, I can’t see much use in all the frothing Y2K-esque fearmongering (although it’s funny when Randall does it).

But honestly, I’ve been looking forward to Theo’s take on this, and he did not disappoint. You never doubt where Theo stands!

OpenSSL has exploit mitigation countermeasures to make sure it’s exploitable. — Ted Unangst

As the various cert vendors I deal with have been telling me all morning (can you stop emailing me now, guys, please?) it’s time to patch the vulnerable webservers, get new certs and move on.

IF YOU DID NOT UNDERSTAND ANY OF THE ABOVE, here’s what you do: Test each site you use (like, for example, mail.google.com or www.yahoo.com) using Filippo Valsorda’s tester. Once ALL the sites you use are patched, change ALL your passwords on ALL websites you use. Don’t change your password on a site that’s not patched – don’t even log in on a site that’s not patched! That will just increase the chances you will be hacked. Don’t assume that because your site is OK now, that you don’t need to change your password – the big boys (Yahoo comes to mind) were vulnerable for quite a while before they patched, but they test out fine now.

Cloud, my shiny metal butt.

If you’re running the Chrome web browser, you can load a plug-in that will change any occurrences of “cloud” or “the cloud” to “butt” or “my butt” respectively, but only in proper context (it knows about weather sites, for example).

And if that’s not enough hilarity for you, you can load a different one that implements the text substitutions from Randall Munroe’s XKCD #1288. There’s also a Firefox version of the latter.

Bender Bending Rodriguez, bending unit #22