Heartbleed Alexa top 10000

[+] tinalumfoil|12 years ago|reply

Notable Sites:

yahoo.com indiegogo.com metacafe.com mybet.com nascar.com okcupid.com pch.com paypal-community.com browserstack.com creditkarma.com nasa.gov twitpic.com

The others are mostly porn sites, link shorteners, non-english or others people normally wouldn't have an account/put private data on. These are the sites I feel have the most significance on the list, sorry if I missed any.

[+] thinkling|12 years ago|reply

Airbnb.com apache.org dreamhost.com ifttt.com wer ones I noticed.

There are a couple of big european retailers in the list (darty, castorama).

[+] lotsofcows|12 years ago|reply

Ha, what sort of idiot would have private data on a non-English site? Oh wait, that would be the majority of the population of the planet.

[+] jackowayed|12 years ago|reply

Avast is pretty bad given that they make virus protection

[+] icodestuff|12 years ago|reply

As of earlier this morning Amazon.com was also vulnerable. OkCupid is also on this list.

[+] level|12 years ago|reply

netflix.com is another big one

[+] rabino|12 years ago|reply

slack.com

edit: I contacted the developers and they were super fast to patch everything, roll keys, etc. It's contained now.

[+] teawithcarl|12 years ago|reply

jd.com is huge in China.

[+] elwell|12 years ago|reply

flipboard.com

[+] esturk|12 years ago|reply

Notable edu sites:

(www)gatech.edu (www)ucla.edu (www)uiuc.edu

I mean really? These are top engineering schools too.

[+] belorn|12 years ago|reply

This is the problem with a monoculture in security libraries. Back when the gnutls vulnerability came up earlier this year, some people seriously stated that we should only have one tls library and that would ensure the security of it.

Find a vulnerability in a browser, and a minority subset of all users get effected. Find a issue with openssl, and key to the kingdom is there.

[+] rabino|12 years ago|reply

Not sure I agree. More eyes in a library should mean it is more secure. I guess.

Having 200 broken TSL libraries is security by obscurity. Not very useful, and a pain for sysadmins.

[+] rodgerd|12 years ago|reply

There is OpenSSL, nss, and GnuTLS. That's 3. Two of those have had major breaches this year.

How many more libraries do you think will provide adequate security?

[+] unknown|12 years ago|reply

[deleted]

[+] robododo|12 years ago|reply

How many of these have gotten new server keys? How many have invalidated all prior session ids and cookies?

I have a feeling heartbleed will haunt us for a while.

[+] JshWright|12 years ago|reply

Hopefully they patch OpenSSL before they roll their keys...

[+] smtddr|12 years ago|reply

This will be similar to the trendnet webcam "/anony/mjpg.cgi" ordeal. To this day there are still many webcams on the internet that can be viewed by anyone and the owners of the webcam have no idea whatsoever.

We're going to have fallout from this for at least the rest of this year and well into the next.

[+] FooBarWidget|12 years ago|reply

I'm sure all the serious sites will be updated soon. But what I'm more worried about is all those routers. My home router has an admin interface that's served over SSL. I'm not so confident in that manufacturers will push out updates for those routers quickly, or that people will update them at all.

[+] stormbrew|12 years ago|reply

This is a mixed bag, but I'd bet your router's running an older version than 1.0.1.

[+] Narkov|12 years ago|reply

Home routers have bigger issues to worry about before they get to Heartbleed.

[+] jpmattia|12 years ago|reply

Anyone check banks and financial institutions yet?

[+] voltagex_|12 years ago|reply

The big four (?) banks in Australia seem to not be affected. I'm fairly sure they run IIS, anyway.

[+] hughes|12 years ago|reply

My bank (PC Financial) has been offline all evening. I wonder if it's related.

[+] 1_player|12 years ago|reply

UK Barclays is vulnerable.

[+] patrickxb|12 years ago|reply

Side question: Alexa still exists? People install that extension in their browser???

[+] mkr-hn|12 years ago|reply

It's an extension now. SEO people seem to like it for the quick look at rankings.

[+] philip1209|12 years ago|reply

A browser extension that warns of vulnerability would be amazing.

[+] allochthon|12 years ago|reply

I'm hoping to find a list of largish sites that were vulnerable to this bug just prior to the recent disclosure, so that I can know how to prioritize my password changing. (These forced password rotations are happening quite a lot these days.)

[+] ef47d35620c1|12 years ago|reply

It's a client problem too. Many people are over-looking that.

[+] ArloL|12 years ago|reply

Everyone should at least consider donating to the OpenSSL foundation: https://www.openssl.org/support/donations.html

[+] rpearl|12 years ago|reply

They write terrible, terrible code. Can I donate to some smart people looking to replace OpenSSL with something reasonable?

[+] elwell|12 years ago|reply

Is there a quick way to test a site actively (i.e., without going and checking the openssl version)?

[+] molf|12 years ago|reply

So only a little over 12% is still vulnerable (and possibly ~30% not using OpenSSL). And that number is still shrinking quickly. For example: Netflix, Yahoo, NASA and OKCupid have updated in the mean time.

[+] euphemize|12 years ago|reply

I've just checked a bunch of sites on this list and it seems a lot have been patched, only in the last hour since your comment.

[+] sukuriant|12 years ago|reply

So, these are dumb questions; but,

1) was this list made legally?

2) is viewing the list legal?

[+] pilom|12 years ago|reply

1.) If it was made in the US, probably not. Reading the memory of a webserver would be pretty easy for a lawyer to argue is "unauthorized use of a computer system." That is the basic definition presented in the Computer Fraud and Abuse Act.

2.) I don't know enough to be able to argue one way or another on this point. However, if you download the list or disseminate the list you are likely increasing your possible exposure.

[+] PeterisP|12 years ago|reply

The answer to (2) is Yes regardless of what is the answer to qestion (1).

[+] bpicolo|12 years ago|reply

Yes, it's entirely legal.

[+] abc123xyz|12 years ago|reply

Rapidshare is still vulnerable, search for "enc" session cookie, can login as any user then by editing this cookie :D it also works via their api

fun fun fun

[+] abc123xyz|12 years ago|reply

Still works...

http://i.imgur.com/RLXeySY.png

[+] newman314|12 years ago|reply

popsugar.com phpnuke.org toshiba.com torcache.net ucla.edu uiuc.edu utorrent.com ifttt.com

[+] 3rd3|12 years ago|reply

Would it make sense for everyone to change their passwords because of this?

[+] carbocation|12 years ago|reply

Many servers will still be vulnerable, so now you have 2 problems.

Zawinski meme aside, perhaps it would make sense to do it on a server-by-server basis when the machines are verified patched. (Though, even then, how do you know they aren't passing information back to an Internet-exposed-but-unpatched database server?)

[+] regecks|12 years ago|reply

If you logged in (as in, typed your username and password) in to the site during the time the exploit has been disclosed and the site has been vulnerable, I would change your password.

83 comments