Now .. there are lot of computers on the internet and only ~500 million were vulnerable... They recommend updating certs only because it is an unlogged procedure and if information was ever disclosed in the 2+ years machines were vulnerable .. machines too old and too new (like last 48 hours) aren't vulnerable... Also another thing to consider is many main stream load balancers were never vulnerable in that time period, and the back end servers may be un-encrypted (SSL offloading) traffic, meaning the vulnerability could never reach the server.. also most IDP/IPS cannot block all versions of this exploit (i.e. snort) based on the various ways it can be presented. Get to version g of openssl quickly. If 1.) in doubt, 2.) you match any of the below [source: www.heartbleed.com]:
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Lastly, some Apache and ngix servers could have had vulnerable versions installed with the product. Remember, not if you *ARE* vulnerable, it is *IF YOU WERE EVER* vulnerable. UPDATE OPENSSL / NEW CERTS (SSL and SSH), and for extra paranoia consider all accounts compromised - update passwords. This is because the exploit discloses a random "bag of cats" to the attacker and the attacker can reach in whenever they want... they might get stuff, they might not, or partial disclosures - whatever is in that 64kb chunk of memory they get back. Anything plain text in memory area returned is game for disclosure.
Yea, its pretty bad. Also Lastpass supposedly was one of those quasi things from what i read .. yes they were vulnerable, but in memory the data was always encrypted (good programming), so nothing was disclosed (if i got that right). Anyhow thats my belief that i know what i read, i am not saying everything is 100% true,. but to my knowledge that is what i believe i have read on the subject.
These people (" there are no real juggernauts of internet commerce wrapped up in this, [>>>as far as we know<<<.] No Amazon, no Google, no Microsoft.") obviously don't know what they are talking about because Google was affected (http://www.engadget.com/2014/04/09/google-heartbleed-patch-info/).
If you want a secure computer turn it off, unplug and lock it away in a closet. For total security drill holes in your disk drives and dissolve the platters in muriatic acid. Now it is secure. Crush RAM stick with a hammer and add to acid solution.
Re Heartbleed: This article/chart on BGR (April 15) lists major sites that were affected, and includes "Amazon Web Services" on its list needing new safer passwords immediately. There's also a link for a browser fix to warn of unsafe sites.
Email, financial and major shopping sites are listed.
Amazon's response to my question on Kindle Fire and FireTV was not illuminating. They simply expressed their understanding that I wanted to know if my software was up to date and told me how to check it. Well...that was NOT my question, my question was whether Heartbleed is or was an issue on these devices at any version. So I tried to ask them that again. We shall see.
Everything I have read says that the Amazon store doesn't use OpenSSL so was not affected on any platform, whether PC, Kindle Fire, Fire TV, phone, etc. Amazon web services, which was affected, is a completely different entity and does not affect Amazon.com. If you're worried, though, it never hurts to change your password.
You need to find out which version of Android the device is using and then check. From what I have read, Amazon is OK but some Android OS's (of which kindle Fire devices use) had the issue. From a security release of mine:
"Heartbleed is a flaw in OpenSSL that could allow the theft of data normally protected on websites. Google recently announced that smart phones and tablets running the Android operating system 4.1.1 JellyBean are vulnerable. To see if your Android device is running this version go to the Settings menu, scroll to the bottom and select About Phone or About Tablet. "
Very concerned about my Kindle Fire - original model. I can't remember having an OS upgrade on it. I have reset it to factory defaults, hopefully clearing my various passwords. I like the device but my Amazon password has money attached, so until I see it's safe I really can't use it for reading my Kindle library.
The problem is that Amazon devices use a version of Android OS so on the original Kindle Fire the version is 6.3.2_user_4110520 - what does that tell me, does the 411 at the end indicate it's an affected version? Amazon's response only told me how to tell if I had the latest version installed not how to tell if the version was vulnerable or if a previous version was vulnerable.
Heartbleed affects websites using OpenSSL, and you should change your password on any sites that use the affected version (see upthread for links to find out which major websites are and aren't affected. Amazon.com is not affected). Your version of the Kindle OS doesn't matter, though upgrading to the latest version is generally good anyway, if it doesn't upgrade automatically. There is no need to do a factory reset or avoid using your Kindle library. You do not need to change your Amazon password, but it never hurts to change your passwords periodically anyway.
Heartbleed also affects a variety of Android devices. KindleFire and FireTV are android devices. They may or may not be affected based on the version of Android they run. Since it's an Amazon fork of Android, their version numbers do not match the reports on the version affected (4.1.1) leaving their status...inconclusive. I don't doubt Amazon will upgrade if they are affected and the upgrade will happen seamlessly--I'd just love to know what the status is.
While you are right that Amazon.com was not affected, many Amazon offerings WERE affected (amazon web services, for example). These services/APIs support other services (like Netflix, etc). so they will probably have their own designation as to whether they are affected.
As for Amazon.com...you don't need to change your password due to Heartbleed, unless you use that same password on other sites that were affected by Heartbleed. Me, I've changed my Amazon.com password.
It is important to distinguish between Amazon.com and other aspects of Amazon (e.g. Heartbleed, Android devices)