It warms this otherwise cold, dead heart to see people picking up @1Password. Your online life is about to get a whole lot safer and easier.
First of all, sorry for the requirement for Adobe Flash. That's usually a deal-breaker for stuff I post, but this is good enough to warrant an exception. (C'mon, Comedy Central, Flash is outdated and horrible. Get up to speed, will you?)
Amy Schumer has done a fantastic Aaron Sorkin parody on her "Inside Amy Schumer" show on Comedy Central:
It's quite well done, containing all of Sorkin's signature elements. To top it off, she's got Josh Charles in the lead role, a Sorkin alumnus himself.
You've probably seen an article or news segment on a recently found bug in some of the basic software that runs websites on the Internet known as the "Heartbleed" bug. This is a flaw in software that protects traffic to and from "https" sites from being seen by a third party. This bug makes many so-called secure websites vulnerable to having their secure communications compromised.
This bug has been present in the software, OpenSSL, for over two years. This means sites that used this software have been vulnerable for that long. Researchers have confirmed that, among other ramifications, a server's "private key" can be exposed. A server's private key allows traffic to be securely encoded against snooping by a third party. Anyone possessing a server's private key can decrypt the traffic flowing in and out of that server. This fundamental part of how secure internet traffic works is now at risk. This also means that traffic gathered by third parties in the past can now be trivially decrypted. For example, it has been reported that the NSA has actively used this bug to decrypt web traffic.
The worst thing about this vulnerability is that there is no indication that the private key has been taken. There is no way for a server administrator to look through logs or even look at raw, live traffic, and see that a site has been attacked. Therefore, there is no way to know if a service has been compromised or not.
Because traffic that was thought to be unable to be decoded can now be decoded, and because an administrator cannot determine if a key has been taken, all accounts that were created on vulnerable sites should now be considered public knowledge.
Code patches for fixing this bug were quickly written and have been widely deployed at this point. However, because the flaw has existed for so long, accounts and data older than this past week could have been put at risk.
A large portion of the internet that utilizes secure web (https) traffic is using OpenSSL. While some of these sites may have been using versions without the bug, many of the top-tier sites were. This includes Facebook, Google (including Gmail and YouTube), Reddit, Dropbox, Flickr, Tumblr, Yahoo, Netflix, etc.
The major sites not affected include Twitter and Apple. Mashable has a good list. Most banks were unaffected.
This means that if you use any of these sites you should change your password on these services immediately. In addition, if you used this password on other services (umm, please don't do this), you should change your password to something unique on those other services as well.
In addition, millions of Android devices running Android 4.1.1 are at risk. If you use an Android phone or tablet on version 4.1.1, contact your wireless carrier or tablet manufacturer for an updated version of Android.
Yes, Zimbra uses OpenSSL and previous versions were using a vulnerable edition of OpenSSL. I have patched this bug and it is no longer vulnerable. Yes, you should immediately change your Zimbra password.