8 stories
·
0 followers

Google ordered to remove links to stories about Google removing links to stories

3 Comments and 4 Shares

Is the "right to be forgotten" biting its own tail?

The UK's Information Commissioner's Office (ICO) has ordered Google to remove links from its search results that point to news stories reporting on earlier removals of links from its search results. The nine further results that must be removed point to Web pages with details about the links relating to a criminal offence that were removed by Google following a request from the individual concerned. The Web pages involved in the latest ICO order repeated details of the original criminal offence, which were then included in the results displayed when searching for the complainant’s name on Google.

Understandably, Google is not very happy about this escalation of the EU's so-called "right to be forgotten"—strictly speaking, a right to have certain kinds of information removed from search engine results. According to the ICO press release on the new order, Google has refused to remove the later links from its search results: "It argued these links were to articles that concerned one of its decisions to delist a search result and that the articles were an essential part of a recent news story relating to a matter of significant public importance." The ICO "recognises that journalistic content relating to decisions to delist search results may be newsworthy and in the public interest." Nonetheless, it decided that including links to the news stories has "an unwarranted and negative impact on the individual’s privacy and is a breach of the Data Protection Act," and that they must be removed.

Google has 35 days to comply with the order. If it does not, it faces financial sanctions, which can be quite significant: a few weeks ago, the ICO issued a £180,000 civil monetary penalty to The Money Shop following the loss of customer details when a server was stolen. Moreover, it could, in theory, be fined repeatedly, the ICO told Ars in an e-mail. Google can, however, appeal against the order to the Information Tribunal, part of a fairly obscure aspect of the UK's court system called the General Regulatory Chamber.

One obvious question about this kind of recursive request is whether it is recursive itself—in other words, whether news stories that report on this latest removal including details of the criminal offence will also face de-listing from Google's search results. That seems likely. (But obviously, if this story suddenly disappears, you know what happened...) Another issue concerns the status of pages that media organisations have set up listing the news stories that have been removed from Google's results, for example those from The Telegraph and the BBC, some of which contain details from the de-listed stories.

The latest development seems to confirm fears that the "right to be forgotten" would become a mechanism for censoring perfectly legal information and Web pages. That's because any article mentioning the contested information in any form or in any context now faces the prospect of being consigned to online oblivion, in the EU at least.

Read the whole story
jmorahan
3365 days ago
reply
"...that was the ultimate subtlety: consciously to induce unconsciousness, and then, once again, to become unconscious of the act of hypnosis you had just performed."
Share this story
Delete
2 public comments
mareino
3365 days ago
reply
Any Brits out there want to file a request demanding that Google delink the Information Commissioner's Office?
Washington, District of Columbia
satadru
3365 days ago
reply
Stupid recursive censorship request is stupidly recursive.
New York, NY

The Intercept’s Laura Poitras Wins Academy Award for ‘Citizenfour’

1 Share

Laura Poitras, a founding editor of The Intercept, won an Academy Award tonight for her documentary “Citizenfour,” an inside look at Edward Snowden, the National Security Agency whistleblower.

The film, which has been hailed as a real-life thriller, chronicles Snowden’s effort to securely contact Poitras and Glenn Greenwald in 2013 and meet them in Hong Kong, where Poitras filmed Snowden discussing the thousands of classified NSA documents he was leaking to them, and his motives for doing so. The film takes its title from the pseudonym Snowden used when he contacted Poitras in encrypted emails that were revealed in her documentary.

“If you publish the source material,” one of his first emails said, “I will likely be immediately implicated. This must not deter you from releasing the information I will provide. Thank you, and be careful.”

“Citizenfour” received widespread acclaim when it was released last year. The New York Times said it was “a primal political fable for the digital age” while Indiewire described it as “the stuff of Orwellian nightmares…it plays like the greatest paranoid thriller since ‘All the President’s Men.’” Prior to the Academy Awards, it won a number of prizes for best documentary from the New York Film Critics Circle, the Directors Guild of America, and other organizations.

The documentary is centered around the extraordinary footage Poitras shot of Snowden in his hotel room with Greenwald and Guardian reporter Ewen MacAskill, who also travelled to Hong Kong. The film includes scenes of Snowden preparing to leave the hotel to go into hiding after the first NSA stories were published along with a video interview in which Snowden revealed his identity. Snowden eventually slipped out of Hong Kong and, after becoming stranded in Moscow’s Sheremetyevo airport, was offered political asylum in Russia, where he currently resides.

The documents leaked by Snowden have revealed the NSA’s dragnet surveillance of American phone records as well as the agency’s extensive efforts to infiltrate and compromise global telecommunications networks. The NSA’s activities have been condemned by civil liberties advocates in the United States as well as by foreign governments that have been spied on by the agency. The stories written about the documents have earned Pulitzer Prizes for The Guardian and The Washington Post (which also received documents from Snowden). Those publications, as well as The Intercept and other news organizations, including Der Spiegel in Germany, continue to publish major stories about the NSA’s surveillance activities, such as an article just a few days ago that revealed the NSA and its British counterpart, the GCHQ, had stolen billions of cellphone encryption keys from a Dutch firm.

Poitras, who in 2012 was awarded a MacArthur Foundation “genius” grant, had earned an Academy Award nomination for a previous film, “My Country, My Country,” about the Iraq war. Released in 2006, it was the first in a trilogy of films about America after 9/11; the second, released in 2010, was “The Oath,” filmed in Yemen and Guantanamo Bay. “Citizenfour” is the final film in the trilogy, which Poitras has described as an examination of American power in the war on terror.

Poitras herself came under the type of government surveillance that the Snowden documents outline. After her Iraq film was released, she was stopped dozens of times at U.S. and foreign airports and questioned by border agents; her name had apparently been placed on one of the U.S. government’s terrorism watchlists. This put her into an unusual position—a documentarian who was under surveillance while working on a documentary about surveillance.

It was a short film by Poitras about the NSA, focusing on whistleblower William Binney, that brought her to the attention of Snowden. He saw the film, which was called “The Program” and was published as a New York Times op-doc in 2012, and realized Poitras was reporting on the NSA and that she probably had enough knowledge of encryption practices to communicate with him securely. He later explained that he trusted her and Greenwald, who is another founding editor of The Intercept, more than any major media outlets in the post-9/11 era.

“Laura and Glenn are among the few who reported fearlessly on controversial topics throughout this period, even in the face of withering personal criticism, and resulted in Laura specifically becoming targeted by the very programs involved in the recent disclosures,” Snowden has said. “She had demonstrated the courage, personal experience and skill needed to handle what is probably the most dangerous assignment any journalist can be given — reporting on the secret misdeeds of the most powerful government in the world.”

Poitras, who studied film at the San Francisco Art Institute and political theory at The New School before turning to journalism, will have a solo exhibition at the Whitney Museum in 2016.

Photo: Trevor Paglen

The post The Intercept’s Laura Poitras Wins Academy Award for ‘Citizenfour’ appeared first on The Intercept.

Read the whole story
jmorahan
3544 days ago
reply
Share this story
Delete

Launching in 2015: A Certificate Authority to Encrypt the Entire Web

1 Share

Let's Encrypt logo

Today EFF is pleased to announce Let’s Encrypt, a new certificate authority (CA) initiative that we have put together with Mozilla, Cisco, Akamai, Identrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS.

Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a webserver from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button.

The biggest obstacle to HTTPS deployment has been the complexity, bureaucracy, and cost of the certificates that HTTPS requires. We’re all familiar with the warnings and error messages produced by misconfigured certificates. These warnings are a hint that HTTPS (and other uses of TLS/SSL) is dependent on a horrifyingly complex and often structurally dysfunctional bureaucracy for authentication.

example certificate warningLet's Encrypt will eliminate most kinds of erroneous certificate warnings

The need to obtain, install, and manage certificates from that bureaucracy is the largest reason that sites keep using HTTP instead of HTTPS. In our tests, it typically takes a web developer 1-3 hours to enable encryption for the first time. The Let’s Encrypt project is aiming to fix that by reducing setup time to 20-30 seconds. You can help test and hack on the developer preview of our Let's Encrypt agent software or watch a video of it in action here:

Let’s Encrypt will employ a number of new technologies to manage secure automated verification of domains and issuance of certificates. We will use a protocol we’re developing called ACME between web servers and the CA, which includes support for new and stronger forms of domain validation. We will also employ Internet-wide datasets of certificates, such as EFF’s own Decentralized SSL Observatory, the University of Michigan’s scans.io, and Google's Certificate Transparency logs, to make higher-security decisions about when a certificate is safe to issue.

The Let’s Encrypt CA will be operated by a new non-profit organization called the Internet Security Research Group (ISRG). EFF helped to put together this initiative with Mozilla and the University of Michigan, and it has been joined for launch by partners including Cisco, Akamai, and Identrust.

The core team working on the Let's Encrypt CA and agent software includes James Kasten, Seth Schoen, and Peter Eckersley at EFF; Josh Aas, Richard Barnes, Kevin Dick and Eric Rescorla at Mozilla; Alex Halderman and James Kasten and the University of Michigan.

Read the whole story
jmorahan
3641 days ago
reply
Share this story
Delete

Lighting the Darkest Corners of Government: Glenn Greenwald’s No Place to Hide Explores the Role of Journalism in the Internet Age and How Mass Surveillance Undermines Democracy

1 Share

Book review and discussion questions for reading groups

In No Place to Hide, Glenn Greenwald shows that a modern investigative reporter doesn’t just need the courage to take on the United States government and established media. He also needs a whole lot of crypto.

Greenwald’s new book (buy a copy here and a portion of the proceeds go to EFF) details how he and journalist Laura Poitras met NSA whistleblower Edward Snowden and then published a series of articles that would change Americans’ perception of their government, ignite a worldwide debate around surveillance, and challenge notions about investigative journalism. The book begins with a recounting of how Snowden made contact with the journalists and the risks and travails of publishing the controversial initial leaks. Then Greenwald walks through how the NSA and its international partners engage in a collect-it-all strategy that exploits modern communication technology, from underwater cables to cell phone towers. The book concludes with an impassioned examination of executive power, secret law, failed oversight, meek journalistic institutions—and how these dark forces can be fought with the courage of conviction, transparency, and independent journalism.

It’s a readable yet thorough overview of NSA surveillance, and worth both reading for yourself and sharing with any friends who might be on the fence about reining in mass spying.

Journalism Under Fire

No Place to Hide provides an inside view of how journalists and sources operate when faced with government intimidation tactics.

While certain that the First Amendment protects his work, Greenwald is also mindful of the potential for prosecution. He and Poitras work with the Guardian and its lawyers on the initial publications in part because they believe they will be shielded by working with an established media organization. At one point, frustrated by delays in publishing the first story, Greenwald contemplates starting his own media organization:

[W]e decided there was an even more powerful alternative: to simply create our own website, entitled NSAdisclosures.com, and begin releasing the articles there, without the need for any existing media outlet. Once we went public with the fact that we had in our possession this huge trove of secret documents about NSA spying, we would easily recruit volunteer editors, lawyers, researchers, and financial backers: an entire team, motivated by nothing but a passion for transparency and real adversarial journalism, devoted to reporting what we knew was one of the most significant leaks in US history.

Ultimately Greenwald decides against the plan, in part because of concerns about potential prosecutions.

I also had to acknowledge my personal fear: publishing hundreds if not thousands of top secret NSA files was going to be risky enough, even as part of a large organization like the Guardian. Doing it alone, without institutional protection, would be far riskier. All the smart warnings from the friends and lawyers I had called played loudly in my head.

The book provides ample reason for journalists to be concerned about aggressive overreactions by the US government. It details the Obama administration’s prosecution of Fox News Washington bureau chief James Rosen, who was charged with criminal conspiracy for working with a source to publish classified materials. Greenwald also discusses the Department of Justice’s secret acquisition of Associated Press emails and telephone records, as well as its pressure on New York Times journalist James Risen, both in an effort to uncover journalistic sources.

Greenwald describes how agents from British intelligence agency GCHQ appeared at the Guardian offices, demanding that all Snowden documents be turned over or destroyed. Rather than surrender the documents, journalists at the Guardian destroyed the material, literally smashing laptops containing leaked documents. He also describes his fear while his partner, David Miranda, was held without charge for nine hours while transferring flights at Heathrow Airport.

The likelihood of prosecution or even decades in prison was also something Edward Snowden repeatedly acknowledged, noting, "I understand that I will be made to suffer for my actions, and that the return of this information to the public marks my end."

Greenwald, Poitras, and Snowden, as well as editors at the Guardian and others, chose to publish in the face of this intimidation. But the book provides startling insight into the difficult choice too many journalists face in the current prosecution-heavy environment. We cannot know how many other journalists have turned down leads, delayed publication, or changed a story out of fear of repercussion from outraged governments. The US government isn’t respecting and tolerating an independent press. Instead, it’s actively working to discredit and intimidate journalists and ferret out their sources.

Crypto to the Rescue

Encryption plays a huge role in the journalists’ defense against government snoops. The book shows journalists relying on email encryption for communication, and Greenwald explains how Snowden refused to confide in him at all because he had not set up email encryption. (Greenwald also recounts his almost comical reluctance to set up encryption, and how Snowden went to great lengths—including creating instructional videos to help Greenwald through the process—to no avail.)

Unable to rely on the law to protect their privacy, the journalists adopt security practices that include strictly limiting who receives copies of documents, encryption, removing batteries from mobile phones (or putting them in the refrigerator), and discussing the most important issues in person. Without strong crypto, the Snowden leaks may well have never happened.

Myths Busted

In addition to knitting together an explanation of the NSA’s mass collection programs, Greenwald refutes the most persistent excuses for mass spying. He details how oversight of NSA has failed, at both the Foreign Intelligence Surveillance Court level and the congressional level. He debunks the idea that collecting metadata is less invasive than other forms of surveillance. He speaks directly to how the NSA spying programs are not an effective method of thwarting or preventing terrorism, but how they do infringe on the privacy of millions of law-abiding individuals. Perhaps most compelling, Greenwald argues that those who have nothing to hide should still object to mass surveillance because suspicionless spying is so fundamentally poisonous to democracy.

Carrying on the Legacy

If you seek to help, join the open source community and fight to keep the spirit of the press alive and the internet free. I have been to the darkest corners of government, and what they fear is light. – Edward Snowden

Thanks to the Snowden leaks and the incredible coverage of them, we are faced with an unprecedented opportunity to rein in the NSA. Thanks to Greenwald’s book, we have a new way of teaching the world about this issue.

No Place to Hide debuted at number 5 of the New York Times bestseller list for combined print & e-book nonfiction. That means thousands of people are right now reading this book. Some percentage of them may feel a spark of outrage at the abuses of government power Greenwald details, may find resonance with the idea that the government has been too long shielded from the accountability of public scrutiny. And some percentage of them may convert that spark into action.

If you find yourself among those who are called to action, there are easy ways to get involved. The first thing to do is to get a copy of the book and lend it to a friend. Perhaps you have a friend whose ideas on the issue are not fully formed, or who feels conflicted about mass surveillance—perhaps even someone who works for a government agency. This book is a powerful entry point for understanding a complex and politically charged topic, so it will help the movement overall if it finds a home on the bedside tables of millions of people around the world.

For coders worldwide, there’s a need for strong, usable tools to thwart surveillance. We need talented people helping to patch and improve free software tools like OTR, SecureDrop, HTTPS Everywhere, and Tor. And if you’re not a coder, you can still help make encryption the default by using tools to protect your privacy online. Reset the Net is a campaign to galvanize both coders and users to do what they can to secure the Web, and it’s easy to get involved.

If you are a student looking to engage in digital rights activism on your college campus, please join our student organizers list. We’re trying to create a nation-wide campus movement to educate and activate students around defending civil liberties.

And of course, there’s Congress. Public outcry against the spying programs has pushed Obama to make key concession toward reform and forced Congress into taking up the issue of reform. But powerful factions in Congress are working to block any reform efforts. You can help us defend strong reform by adding your voice or becoming a member.

Greenwald writes that “Promoting the human capacity to reason and make decisions: that is the purpose of whistleblowing, of activism, of political journalism.” It is unyielding, independent journalists and committed activists that have capacity to create an informed and engaged electorate, technologists who create tools to safeguard their communications and lawyers who often defend their rights to speak freely. Perhaps the most important way to get involved is to find what niche within that ecosystem best suits your own skills and passions.

Discussion questions for reading groups

1. How has No Place to Hide affected your comfort around using modern communication technology, including services like Gmail and Facebook? How might No Place to Hide affect how investigative journalists or political activists feel about using the Internet?

2. Greenwald writes that he wanted to publish the leaks from Snowden almost immediately and in quick succession, using the leaks as an opportunity to criticize entrenched federal policies around surveillance: “Only audacious journalism could give the story the power it needed to overcome the climate of fear the government had imposed on journalists and their sources.” (p. 61)

Yet even as he urged the Guardian to publish the first leak and grew increasingly frustrated by delays in publication, he hesitated to start his own news site for publishing the leaks, writing: “I also had to acknowledge my personal fear: publishing hundreds if not thousands of top secret NSA files was going to be risky enough, even as part of a large organization like the Guardian. Doing it alone, without any institutional protection, would be far riskier.”(p. 69)

3. How did fear of prosecution influence the decisions of the reporters and Snowden? In what ways do you think fear of prosecution affects other forms of investigative journalism?

4. Do you think it would have been better or worse for Greenwald and Poitras to publish on a dedicated, independent website, rather than in collaboration with established media outlets? Why?

5. In README_FIRST, Snowden writes: “I have been to the darkest corners of government, and what they fear is light.” To what extent do you think public transparency alone (as compared to transparency compared with regulations, Congressional oversight, or other safeguards) can act as a check on executive power abuses? Where does transparency fall short?

6. Greenwald writes: “Every news article is the product of all sorts of highly subjective cultural, nationalistic, and political assumptions. And all journalism serves one faction’s interest of another’s. The relevant distinction is not between journalists who have opinions and those who have none, a category that does not exist. It is between journalists who candidly reveal their opinions and those who conceal them, pretending they have none.” P 231

7. Does a journalist have a responsibility to report the news without expressing a specific subjective opinion on that news? Is neutral reporting more beneficial to society than subjective reporting? Is it even possible for an article to be truly neutral, and what would that look like?

Full disclosure: Glenn Greenwald, Laura Poitras, Edward Snowden and I all sit on the board of directors of the Freedom of the Press Foundation. Last year, EFF awarded Greenwald and Poitras our Pioneer Award for their reporting on these issues.

Related Issues: 
Read the whole story
jmorahan
3802 days ago
reply
Share this story
Delete

Please stop sending me your shitty Word documents

1 Comment

Throughout this rant I use the second-person personal pronoun (you) quite a lot. This does not necessarily mean I am speaking to ‘You’ the reader, but rather some other ‘You’ who will probably never read this anyway.

When Microsoft announced Office for iPad I shed a small tear. Now, Excel is an incredibly useful application, without which my managers couldn’t inundate me with graphs, statistics and indecipherable Look-ups that reference hidden and protected sheets. PowerPoint allows literally anyone (regardless of their public speaking skills, understanding of image aspect ratios, or ability to use less than 15 different fonts on a single slide) to prepare presentations for their audience. What upset me however was the fact that all of a sudden, swathes of iPad users will now have the ability to view, edit and most worryingly of all – create Microsoft Word documents.

Here’s what I have installed on my Mac:

  • Alfred – searching for anything
  • Python – coding anything
  • VLC – watching anything
  • FireFox – browsing anything
  • Homebrew – installing anything
  • Emacs – anything

You’ll notice that Word is not on the list. I have nothing against people who use Word, I am just not one of them. There was a time when if I wanted to put text on a screen, it was my go to software, and I thought I was a pretty 1337 hacker because I knew how to do mail merges. I’m not that guy anymore. I don’t tell you what software to install on your computer, and I don’t assume you have the same software installed as me. For this reason I am careful to use non-proprietary file types when sending documents via email. I expect the same courtesy from you, and here’s why…

I don’t have Word installed

When you send me a Word document, you are making some pretty major assumptions, and as Samuel L. Jackson once said in the outstandingly amazing film The Long Kiss Goodnight

“When you make an assumption, you make an ass out of ‘u’ and ‘mption’.”

Firstly you assume that I have Word or some clone of it installed. I know you think the words ‘Computer’, ‘Microsoft’, ‘Windows’ and ‘Office’ are synonymous, but they’re not and there are plenty of people in the world who use *nix operating systems. By sending me a .docx file you’re forcing me to find a work around, so that I can use your document. What are my options? Well I could install an Office clone like Libre or Pages. I could use an online service like Google Docs or Zoho. I could even attempt to get Emacs to read the data and make a go of presenting it to me in some recognisable format. Do you see what you’ve done? You’ve made more work for me. You’ve sent me a locked box and asked me to either pay to get a key cut or smash it open with a crowbar.

Plain text should be plain

What happens when I finally manage to open your document? Well 90% of the time, all it contains is text. That’s it. Text. Strings of characters. So why the hell did you send it as a Word document to begin with? Why not just write the text directly into the body of the email? If it’s that important for you to write in Word, then save it as a .txt file. There’s not a computer on the planet that can’t read plain-text. (Well, that’s not technically true, as I’m pretty sure my Microwave contains a computer, but that’s besides the point.)

Are you really that good a designer?

The only possible reason I can imagine that you had to send me the document in Word format is because you are the world’s finest graphic designer/type-setter and that your choice of fonts, margins, kerning and paragraph indentation are so awe-inspiring that the very act of viewing the document will have me gouging my eyes out with a spoon, knowing that the gift of sight is no longer of any consequence as I shall never again behold a thing of such beauty. Of course the small flaw in your plan is that I don’t have the Lucida handwriting font installed on my system, and Preview struggles to display Word-Art clearly, so all your efforts are probably in vain.

Tables grrrr!

Sometime you send me the Word document as a container for other joys, such as tables. I understand that a .csv is ugly to behold, but computers don’t tend to worry about aesthetics too much, so they really are preferable. There are prettier tables available if you’re into that kind of thing. HTML tables are great, easy to parse and render, but Microsoft obviously think they’re the devil’s work and so prefer to use their own method of tabulating data. I don’t know how Microsoft has chosen to represent tables in their .docx files, but I do know that if Linus, Stallman and ESR got together and hacked away for a decade or so, they wouldn’t be able to create a program that could render a sodding table created in Word, correctly.

What’s with the crud

Sometimes the documents you send me contain other interesting elements. You feel the need to augment your text with such things as; little animated gifs of a stick man who is frustrated with his computer, borders of coloured apples, 3D Word-Art. Now I know you think that such embellishments will bring a smile to my face and ease my reading of your text, but I’m sorry to inform you that you’re wrong. Very wrong. Criminally wrong. You see, with out Word installed, I won’t be able to view these quirky little additions to you plain text, and I’m never going to install Word, so what was the point.

A heartfelt plea

So please… pretty please… please with bells on top, borders of apples and the word PLEASE written in bright blue Word-Art; think next time you want to send a Word document by email or put one on your website, think about your recipient. Could you use the body of the email or a page on the site? Perhaps you could save the file as a .txt, .rtf or PDF. Just spare a thought for those of us that choose not to use Microsoft Word, and respect our right not to do so.

Oh… and learn to write in sodding Markdown.

Read the whole story
jmorahan
3859 days ago
reply
"You’ve sent me a locked box and asked me to either pay to get a key cut or smash it open with a crowbar."
Share this story
Delete

How to protect yourself from Heartbleed

2 Shares

The Heartbleed vulnerability is one of the worst Internet security problems we have seen. I’ll be writing more about what we can learn from Heartbleed and the response to it.

For now, here is a quick checklist of what you can do to protect yourself.

If you are a regular user:

Most of the sites you use were probably vulnerable. Your password might have been leaked from any one of them. Unless you’re sure that a site was never vulnerable, you should change your password on that site. (It’s not enough that a site is invulnerable now, because your password could have leaked before the site was fixed.)

Yes, it’s a pain to change your passwords, but you were really meaning to change them at some point anyway, weren’t you? Now is a good time. (It’s also a good time to turn on two-factor authentication, on sites that offer it.)

But, before you change your password on a site, you need to make sure that that site has closed any remaining vulnerability. Look for an unequivocal statement from the site that (1) they are no longer vulnerable and (2) they have changed the private encryption key they use to protect HTTPS traffic. Once you’re sure that they have done those two things, then you should go ahead and change your password on the site. If they haven’t done those two things, then it’s best to wait until they do. Make yourself a note to come back and check in a few days.

The bad news is that some of your private information might have leaked from a vulnerable site. It will be very difficult to tell whether this happened, even for the site itself, and nearly impossible to undo a leak if it did happen.

If you run a website that supports HTTPS:

  • Go to http://filippo.io/Heartbleed/ and enter the name of your site, to test whether your site is vulnerable. If you’re not vulnerable, you’re done. If you are vulnerable, carry out the following steps.
  • Upgrade your server software to a non-vulnerable version. I can’t give you general advice on how to do this because it depends on which software you are running. Once you have done the upgrade, go back to http://filippo.io/Heartbleed/ and verify that you are no longer vulnerable.
  • After upgrading your software, generate a new SSL/TLS key and get a certificate for the new key. Start using the new key and certificate. (This is necessary because an attacker could have gotten your old key.)
  • Revoke the certificate you were previously using. (This is necessary because an attacker who got your old key could be using your old key and certificate to impersonate your site.)
  • Have your users change the passwords that they use to log in to your site. (This is necessary because users’ existing passwords could have been leaked. You need to get your house in order by carrying out the previous steps, before users can safely change passwords.)
Read the whole story
jmorahan
3864 days ago
reply
Share this story
Delete
Next Page of Stories