Monday, May 5, 2014

Heartbleed Affected More Sites Than You Realized

I don't have time to write up a detailed article describing the Heartbleed vulnerability, but plenty has been written about it elsewhere. Suffice it to say that it almost certainly affected sites you've used within the past two years, and you need to change some of your passwords. This article should help you determine which of your passwords you may need to change.

Contrary to the popular belief that the Heartbleed vulnerability was first discovered in March or April 2014, there's evidence that it was being exploited in November 2013, if not earlier. There's also a myth that Heartbleed doesn't affect users of Apple products, which is false; see Graham Cluley's Heartbleed OpenSSL bug FAQ for Mac, iPhone and iPad users for some basic factual information.

A handful of major news sites have put together small lists of Web sites whose users should change their passwords, but I've found these lists to be quite lacking, so I decided to put together my own. I've been compiling this list for almost a month; it's big, so it took a lot of time. This list includes some exclusives that I haven't seen anywhere else.

Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, you'll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.

If you search this article and can't find a particular site, see the section at the bottom of this article which explains how you can conduct your own Heartbleed tests. (Note that over a month after the Heartbleed vulnerability was disclosed to the public, over 300,000 servers are reportedly still vulnerable to Heartbleed attacks, so there's a decent chance that a server you use isn't on anyone's list, no matter how comprehensive the list may seem.)



Change Passwords NOW:

Amazon Web Services (AWS) e.g. EC2, S3, etc. (aws.amazon.com): company statement - https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ - according to Mashable, "Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront were patched" - filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it - NOTE that the Amazon.com shopping site was unaffected by Heartbleed

App.net (app.net / account.app.net / alpha.app.net / join.app.net): company statement - http://blog.app.net/2014/04/10/openssl-heartbleed-vulnerability-update/ - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Ars Technica (arstechnica.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Barracuda Networks - see Copy

Bitly (bitly.com / bit.ly): Qualys claims currently not vulnerable to Heartbleed attack; however, Bitly announced in early May 2014 that its system was breached (presumably unrelated to the Heartbleed bug), so the company recommends changing passwords and other account settings as outlined at https://bit.ly/SecurityDetails

Bizrate (bizrate.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Blogger/Blogspot - see Google

Box (box.com): company statement - https://blog.box.com/2014/04/box-protection-against-openssl-heartbleed-vulnerability/ - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

The Church of Jesus Christ of Latter-day Saints (lds.org / signin.lds.org / mormonorg.lds.org / edge.mormoncdn.org etc.): LastPass says lds.org doesn't use OpenSSL but signin.lds.org does (it's unclear whether the site ever used a vulnerable version); new certificates after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys and Trend Micro claim currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Copy cloud storage by Barracuda Networks (copy.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

comiXology (www.comixology.com): currently/previously on dberkholz's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

CrashPlan (crashplan.com): company statement - https://helpdesk.code42.com/entries/50328933-Code42-Products-and-the-Heartbleed-Bug (an e-mail was also sent to users on 15 April 2014 stating "As a precautionary measure, we recommend that all users update their CrashPlan passwords. It's not necessary to change your private password, nor your custom 448-bit key (if you are using these advanced security features)." - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

custhelp.com by Oracle (247pearsoned.custhelp.com / penguingroup.custhelp.com etc.): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Dashlane (www.dashlane.com) patched its servers and revoked its old certificates; they claim you don't need to change your password, but you should change it anyway

DirectPass from Trend Micro (www.directpass.com): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; LastPass says "known [to] use OpenSSL" so it could potentially have been affected in the past; however, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Dropbox (dropbox.com / dl.dropbox.com / getdropbox.com / dl.dropboxusercontent.com): new certificate after Heartbleed publicly disclosed; company statement - https://twitter.com/dropbox_support/status/453673783480832000

Duke University (duke.edu): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Dynadot domain name registrar (dynadot.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

eBay (signin.ebay.com / signin.ebay.ca / signin.ebay.co.uk): Trend Micro claims currently not vulnerable to Heartbleed attack; LastPass claims signin.ebay.com was not previously vulnerable, and signin.ebay.co.uk and signin.ebay.ca use OpenSSL and may possibly have been vulnerable in the past but have recently updated certificates; however, eBay announced on 21 May 2014 that its system was breached (presumably unrelated to the Heartbleed bug), so the company recommends changing passwords immediately; official statement at https://www.paypal-community.com/t5/PayPal-Forward/eBay-To-Ask-Users-to-Change-Their-Passwords-No-Evidence-PayPal/ba-p/815612 - meanwhile, eBay subsidiary PayPal was supposedly unaffected; see also PayPal in the "Known Safe" section

Facebook (facebook.com): company stated, "We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed. ... we encourage people to ... set up a unique password." When exactly did Facebook add protections? Current certificate was issued March 1st, more than a month before public Heartbleed disclosure; note, however, that there's been evidence that the vulnerability was being exploited prior to public disclosure, so it would be wise to change your Facebook password now

Fitbit (fitbit.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Flickr - see Yahoo!

Get Satisfaction (getsatisfaction.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

GitHub (github.com): company statement - https://github.com/blog/1818-security-heartbleed-vulnerability - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

GoDaddy domain name registrar (godaddy.com): company statement - http://godaddyblog.com/open-ssl-heartbleed-weve-patched-servers/ - Qualys claims that the primary domain godaddy.com (which is supposedly running Microsoft IIS, not OpenSSL, according to LastPass Heartbleed Checker) currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Google (including google.com search / blogger.com and blogspot.com / youtube.com / Gmail mail.google.com / Google Play Store play.google.com / Google Wallet checkout.google.com / Google Apps / Google App Engine appengine.google.com / developers.google.com / cloud.google.com etc.): company statement according to Mashable - "We have assessed the SSL vulnerability and applied patches to key Google services."

Gravatar (secure.gravatar.com): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected

Great Lakes student loans (mygreatlakes.org): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected

IFTTT "if this then that" (ifttt.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Instagram, a Facebook company (instagram.com): company statement to Mashable: "Our security teams worked quickly on a fix... because this event impacted many services across the web, we recommend you update your password on Instagram and other sites, particularly if you use the same password on multiple sites."

Jehovah's Witnesses - see Watch Tower Bible and Tract Society

LastPass (lastpass.com) servers were affected and patched; although the company says you don't need to change your master password, if you've ever logged into your account on their site it would be a good idea to change your LastPass account password

LDS - see Church of Jesus Christ of Latter-day Saints

Libsyn (libsyn.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Mormon - see Church of Jesus Christ of Latter-day Saints

Netflix (netflix.com): from company statement to Mashable - "we took immediate action to assess the vulnerability and address it. ... It's a good practice to change passwords from time to time, now would be a good time to think about doing so."

Network Solutions (networksolutions.com) claims in a statement from 9 April 2014 (https://www.networksolutions.com/blog/2014/04/notice-to-web-com-network-solutions-and-register-com-customers-about-the-heartbleed-vulnerability/) that its systems have been patched

OkCupid (okcupid.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Pinterest (pinterest.com): from company statement to Mashable - "We fixed the issue on Pinterest.com... To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords." Better advice: change it now, regardless of whether you get an e-mail.

ReadWrite (readwrite.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Reddit (reddit.com / pay.reddit.com): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims pay.reddit.com is currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

ReverbNation (reverbnation.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Rockstar Games (socialclub.rockstargames.com / support.rockstargames.com): company statement - https://support.rockstargames.com/hc/en-us/articles/202393788-Effect-of-Heartbleed-Security-Issue-on-Rockstar-Social-Club-Members - not all certificates used by this company appear to have been reissued after Heartbleed publicly disclosed (although non-reissued certificates might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Scoop.it (scoop.it): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Shopzilla (shopzilla.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Skrill online payment site (skrill.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Smashwords (smashwords.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

SoundCloud (soundcloud.com): on Mashable's list; also notifying logged-in users that a password change is recommended due to Heartbleed bug, so change it now

Sourceforge (sourceforge.net) was only partially affected: "the only vulnerable service was SourceForge's Subversion over HTTPS on Allura (svn.code.sourceforge.net)" http://sourceforge.net/blog/sourceforge-response-to-heartbleed/ - if you think you may have used svn.code.sourceforge.net within the past two years, read the full company statement and change your password (the certificate for *.code.sourceforge.net has been reissued)

Squidoo (squidoo.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Steam gaming site by Valve (steamcommunity.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Toshiba (toshiba.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Trend Micro - see DirectPass

Tumblr - see Yahoo!

Twitter initially claimed to be unaffected (http://status.twitter.com/post/82109064906/ssl-security-update) but later told Mashable it had applied a patch; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Unity Technologies (unity3d.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

University of California, Los Angeles aka UCLA (ucla.edu / gateway.it.ucla.edu): ucla.edu currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

University of Illinois at Urbana-Champaign (uiuc.edu / uofi.illinois.edu / uofi.uic.edu / uofi.uis.edu / illinois.edu / uofi.uillinois.edu): uiuc.edu currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

University of Maryland (umd.edu): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

USAA banking/insurance (usaa.com): company statement at https://communities.usaa.com/t5/USAA-News/USAA-Takes-Measures-Against-Heartbleed-Bug/ba-p/25876 says "A security patch was implemented...and...we have obtained new certificates for usaa.com... we recommend members periodically change their passwords, especially when there is a known vulnerability, and use a unique password for each site"

VUDU (my.vudu.com): vudu.com currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Watch Tower Bible and Tract Society (www.jw.org / watchtower.org / watchtower.com): watchtower.com currently/previously on Ragic's list of supposedly affected sites (even though it doesn't appear to accept HTTPS connections); www.jw.org has a new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims www.jw.org currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Wikipedia and other Wikimedia sites (wikipedia.org / wikimedia.org / wikibooks.org / wikidata.org / wikinews.org / wikiquote.org / wikisource.org / wiktionary.org / mediawiki.org): company statement at https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/ explains that their SSL certificate provider keeps the original "not valid before" date on replaced certificates; Qualys claims currently not vulnerable to Heartbleed attack, so if you have an account at wikipedia.org or its sister sites, now's the time to change your password

Wikispaces (wikispaces.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

Yahoo! (including Flickr flickr.com / Tumblr tumblr.com / Yahoo! Mail mail.yahoo.com / login.yahoo.com etc.) - Mashable states that "Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched"; new certificates after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it

YouTube - see Google

Zendesk (zendesk.com): company statement - https://support.zendesk.com/entries/50648937 - excerpt: "we strongly recommend that you regenerate your Zendesk hosted SSL certificate and reset all user passwords"

ZergNet (zergnet.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it



Change Passwords NOW (but make sure you do it while connected to a trusted network):

Advertising Age (adage.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

AddThis (addthis.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Airbnb (www.airbnb.com): on CNNMoney's list of passwords to change; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Answers - see ResellerRatings

AOL (my.screenname.aol.com / mail.aol.com / webmail.aol.com / beta.mail.aol.com): "AOL told Mashable it was not running the vulnerable version"; Qualys claims the listed domains are currently not vulnerable to Heartbleed attack; however, AOL announced on 28 April 2014 that its encrypted passwords database was breached (presumably unrelated to the Heartbleed bug), so the company recommends changing passwords immediately at https://account.aol.com - I've put this in the "make sure you do it while connected to a trusted network" section because AOL is notorious for not maintaining an HTTPS connection on all pages after logging in

archive.org - see Internet Archive

The Atlantic
(theatlantic.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Beliefnet (beliefnet.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Bio - A&E Biography (biography.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

BitTorrent (bittorrent.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Blip (blip.tv): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Buenos Aires Ciudad - government site in Argentina (id.buenosaires.gob.ar): "buenosaires.gob.ar" currently/previously on Ragic's list of supposedly affected sites; id.buenosaires.gob.ar certificate was NOT reissued after Heartbleed was publicly disclosed - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Cheezburger (cheezburger.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Chess.com (chess.com): currently/previously on dberkholz's list of supposedly affected sites; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

The Christian Post (christianpost.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Creative Commons (creativecommons.org): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Daily Mail (www.dailymail.co.uk / secured.dailymail.co.uk): on CNET's "Be on alert" list, and has not responded to CNET's request for comment; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else (note that the login page itself isn't encrypted, so you'll want to change your password while connected to a trusted network, and don't give any sensitive information to this site)

Deseret News (deseretnews.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Drugs.com (drugs.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

DuckDuckGo search engine (duckduckgo.com / duck.co): duckduckgo.com currently/previously on Ragic's list of supposedly affected sites; new certificate for duckduckgo.com after Heartbleed publicly disclosed - hints at possibly having been affected; duck.co certificate was NOT reissued after Heartbleed was publicly disclosed - theoretically may be spoofable by a MITM; nevertheless, Qualys claims both domains currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

The Economist (economist.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

EdgeCast CDN (edgecastcdn.net): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Eventbrite (eventbrite.com / eventbrite.co.uk etc.): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Fark (fark.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

FatWallet (fatwallet.com): currently/previously on Ragic's list of supposedly affected sites; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Favstar (favstar.fm): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Fixya (www.fixya.com): ssllabs said vulnerable until I tested again on 13 April 2014 at 18:43 UTC; previously on dberkholz's list of affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, ssllabs & filippo.io/Heartbleed both indicate it's no longer vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

fool.com - see Motley Fool

Friend or Follow (friendorfollow.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

The Heritage Foundation (secure.heritage.org): "heritage.org" currently/previously on Ragic's list of supposedly affected sites; secure.heritage.org certificate was NOT reissued after Heartbleed was publicly disclosed - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Hide My Ass (hidemyass.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Imgur (imgur.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Indiegogo (indiegogo.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Internet Archive (archive.org): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Kaspersky (kaspersky.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Lonely Planet (lonelyplanet.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

mail.com: currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Merriam-Webster (secure.merriam-webster.com): "m-w.com" currently/previously on Ragic's list of supposedly affected sites; secure.merriam-webster.com certificate was reissued on 4 April 2014, after Heartbleed was disclosed but PRIOR to when OpenSSL 1.0.1g was released on 7 April - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

The Motley Fool (fool.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

National Journal (nationaljournal.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

North Carolina State University (ncsu.edu): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Outbrain (outbrain.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Path (path.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

The PHP Group (php.net): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

phpBB (phpbb.com): currently/previously on Ragic's list of supposedly affected sites; certificate was reissued on 5 April 2014, after Heartbleed was disclosed but PRIOR to when OpenSSL 1.0.1g was released on 7 April - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

phpnuke (phpnuke.org): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

PicMonkey (picmonkey.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

RapidShare (rapidshare.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Remember The Milk (rememberthemilk.com): currently/previously on Ragic's list of supposedly affected sites; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

ResellerRatings by Answers (resellerratings.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Rolling Stone (rollingstone.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

SoftCoin branding and coupons (softcoin.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Squarespace (static.squarespace.com): Squarespace claims "All public-facing Squarespace services are safe and not vulnerable to the #heartbleed TLS vulnerability" https://twitter.com/Squarespace/status/453690949005094912 - you can supposedly e-mail [email protected] for "full details" - however, currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Stack Exchange (stackexchange.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

State Government of Victoria (vic.gov.au): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

The Street (thestreet.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Twitpic (twitpic.com): ssllabs said vulnerable until I tested again on 15 April 2014 at 05:19 UTC; previously on dberkholz's list of affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, ssllabs & filippo.io/Heartbleed both indicate it's no longer vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Userscripts.org (userscripts.org): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Us Weekly (usmagazine.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

uTorrent (utorrent.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Victoria government site - see State Government of Victoria

Vocabulary.com (vocabulary.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Webster's Dictionary - see Merriam-Webster

Zagat (zagat.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else

Zap2it (zap2it.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else



Unknown/Ambiguous:
I'm not aware of public statements made by these companies, and their certificates haven't been replaced since Heartbleed became public knowledge, but they're not currently vulnerable according to SSLLabs

A&E - see History Channel

AbeBooks (abebooks.com): Qualys claims currently not vulnerable to Heartbleed attack

about.me: Qualys claims currently not vulnerable to Heartbleed attack; note that parent company AOL is in the "Change Passwords NOW (but make sure you do it while connected to a trusted network)" category but not because of Heartbleed

Alaska Airlines (alaskaair.com / www.alaskaair.com / webselfservice.alaskaair.com): Qualys claims currently not vulnerable to Heartbleed attack

Allegiance feedback site (www.allegiancetech.com - used for the feedback page on mormon.org and other sites)

American Airlines (aa.com): Qualys claims currently not vulnerable to Heartbleed attack

American InterContinental University Online (aiuonline.edu): Qualys claims currently not vulnerable to Heartbleed attack

BabyCenter (babycenter.com): Qualys claims currently not vulnerable to Heartbleed attack

Barack Obama (login.barackobama.com): Qualys claims currently not vulnerable to Heartbleed attack

Burrtec Waste Industries - see MyOnlineBill.com

CafePress (cafepress.com / members.cafepress.com): Qualys claims currently not vulnerable to Heartbleed attack

Catholic Online e-mail (webmail.catholic.org): Qualys claims currently not vulnerable to Heartbleed attack, but LastPass says "known [to] use OpenSSL" so it could potentially have been affected in the past

Charter Communications e-mail (web.charter.net): Qualys claims currently not vulnerable to Heartbleed attack

Convio nonprofit donation site by Blackbaud (secure2.convio.net): Qualys claims currently not vulnerable to Heartbleed attack, but LastPass says "known [to] use OpenSSL" so it could potentially have been affected in the past

Costco (costco.com): Qualys claims currently not vulnerable to Heartbleed attack

Delicious bookmarking site (delicious.com, formerly del.icio.us): LastPast says this site is "known [to] use OpenSSL" but filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack; I e-mailed company on 12 April 2014 and have not received any statement

Delta Air Lines (www.delta.com): Qualys claims currently not vulnerable to Heartbleed attack

Delta Dental Insurance (deltadentalins.com): Qualys claims currently not vulnerable to Heartbleed attack

Department of Motor Vehicles, California (dmv.ca.gov): Qualys claims currently not vulnerable to Heartbleed attack

Disney login/registration (register.go.com / registerdisney.go.com): Qualys claims currently not vulnerable to Heartbleed attack

E*TRADE (etrade.com / us.etrade.com): Qualys claims currently not vulnerable to Heartbleed attack; LastPass claims E*TRADE was not vulnerable to Heartbleed (but doesn't really offer evidence to support this assertion); on CNNMoney's list of supposedly unaffected sites; public statement to Mashable on 9 April 2014 was that the company was "still investigating"

eSellerate (mycommerce.com): Qualys claims currently not vulnerable to Heartbleed attack

FAFSA financial aid (fafsa.ed.gov): Qualys claims currently not vulnerable to Heartbleed attack

FriendFeed (friendfeed.com): Qualys claims currently not vulnerable to Heartbleed attack

Gazelle (gazelle.com): Qualys claims currently not vulnerable to Heartbleed attack

Hawaiian Airlines (apps.hawaiianairlines.com): Qualys claims currently not vulnerable to Heartbleed attack

History Channel / A&E Television Networks shopping (secure.history.com): Qualys claims currently not vulnerable to Heartbleed attack

JetBlue Airways (book.jetblue.com): Qualys claims currently not vulnerable to Heartbleed attack

LegitScript online pharmacy legitimacy verification (secure.legitscript.com): Qualys claims currently not vulnerable to Heartbleed attack

McAfee support site (mysupport.mcafee.com): Qualys claims currently not vulnerable to Heartbleed attack

mint.com (Qualys claims currently not vulnerable to Heartbleed attack)

MyOnlineBill.com bill payment site used by waste disposal (e.g. Burrtec) and insurance companies (app.myonlinebill.com): Qualys claims currently not vulnerable to Heartbleed attack

MySpace (myspace.com): Qualys claims currently not vulnerable to Heartbleed attack; I e-mailed company on 12 April 2014 and have received no response

Northcentral University (learners.ncu.edu): Qualys claims currently not vulnerable to Heartbleed attack

Norton / Symantec (account.norton.com / login.norton.com): Qualys claims currently not vulnerable to Heartbleed attack

Pacific Gas and Electric (www.pge.com): Qualys claims currently not vulnerable to Heartbleed attack

Patient Compass hospital bill payment (patientcompass.com): Qualys claims currently not vulnerable to Heartbleed attack

Plurk (plurk.com): Qualys claims currently not vulnerable to Heartbleed attack

ProtectMyID identity theft monitoring - offered to Target customers after holiday 2013 breach (protectmyid.com): Qualys claims currently not vulnerable to Heartbleed attack

Safeway grocery store (auth.safeway.com): Qualys claims currently not vulnerable to Heartbleed attack

Slashdot (slashdot.org): Qualys claims currently not vulnerable to Heartbleed attack

Snapchat (support.snapchat.com): Qualys claims currently not vulnerable to Heartbleed attack

Southern California Edison (sce.com): Qualys claims currently not vulnerable to Heartbleed attack

Southern California Gas Company (myaccount.socalgas.com): Qualys claims currently not vulnerable to Heartbleed attack

Southwest Airlines (www.southwest.com): Qualys claims currently not vulnerable to Heartbleed attack — BUT may be vulnerable to MITM attacks

Spotify (spotify.com): Qualys claims currently not vulnerable to Heartbleed attack

StumbleUpon (stumbleupon.com): Qualys claims currently not vulnerable to Heartbleed attack

Symantec - see Norton

Target theft monitoring partner - see ProtectMyID

Time Warner Cable (twlax.convergentcare.com): Qualys claims currently not vulnerable to Heartbleed attack

United Airlines (www.united.com): Qualys claims currently not vulnerable to Heartbleed attack

United Stated Postal Service (usps.com): Qualys claims currently not vulnerable to Heartbleed attack — BUT IS vulnerable to MITM attacks

University of Phoenix (www.phoenix.edu / ecampus.phoenix.edu): Qualys claims currently not vulnerable to Heartbleed attack — BUT ecampus subdomain IS vulnerable to MITM attacks

Upromise (lty.s.upromise.com): Qualys claims currently not vulnerable to Heartbleed attack

Verizon - not Wireless (signin.verizon.com): Qualys claims currently not vulnerable to Heartbleed attack

Verizon Wireless (login.verizonwireless.com): Qualys claims currently not vulnerable to Heartbleed attack

Virgin America airline (virginamerica.com): Qualys claims currently not vulnerable to Heartbleed attack

VirusShare.com (virusshare.com): Qualys claims currently not vulnerable to Heartbleed attack

VirusTotal (www.virustotal.com): Qualys claims currently not vulnerable to Heartbleed attack

Vons grocery store (rss.vons.com): Qualys claims currently not vulnerable to Heartbleed attack

Web of Trust (mywot.com): Qualys claims currently not vulnerable to Heartbleed attack



Known Safe - No Password Change Needed (according to the company and/or third-party tests):

AirTran Airways (ebyepass.airtran.com): uses Microsoft IIS, not OpenSSL

Amazon (www.amazon.com) told Mashable, "Amazon.com is not affected" - also on CNET and CNNMoney safe lists -  filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack - HOWEVER, note that the separate site Amazon Web Services is in the "Change Passwords NOW" section; see also comiXology which is a recently acquired Amazon property that's also in the "Change Passwords NOW" section

American Express (online.americanexpress.com): Qualys claims currently not vulnerable to Heartbleed attack; LastPass claims AmEx was not vulnerable to Heartbleed (but doesn't really offer evidence to support this assertion); AmEx told Mashable, "There was no compromise of any customer data. While we are not requiring customers to take any specific action at this time, it is a good security practice to regularly update Internet passwords."

Ancestry.com (secure.ancestry.com): uses Microsoft IIS, not OpenSSL

Apple (bugreport.apple.com / idmsa.apple.com / lists.apple.com / ssl.apple.com etc.): Mashable says Apple claims "key Web-based services were not affected"; Qualys claims the listed domains are currently not vulnerable to Heartbleed attack (however, it is a bit suspicious that the certificate for ssl.apple.com was reissued on 16 April 2014 even though the old certificate wasn't due to expire until November 2015, according to the Firefox add-on Certificate Patrol)

Bank of America (www.bankofamerica.com) told Mashable, "A majority of our platforms do NOT use OpenSSL, and the ones that do, we have confirmed no vulnerabilities."

BECU credit union (www.becu.org): uses Microsoft IIS, not OpenSSL (also on CNNMoney's "Don't worry about these" list)

Capital One bank (www.capitalone.com) told Mashable, "Capital One uses a version of encryption that is not vulnerable to Heartbleed" (filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack)

Charter Communications billing (myaccount.charter.com): uses Microsoft IIS, not OpenSSL

Chase bank (www.chase.com) told Mashable, "These sites [which?] don't use the encryption software that is vulnerable to the Heartbleed bug."

Citibank / Citigroup (online.citibank.com / www.citigroup.com): Citigroup told Mashable that it doesn't use OpenSSL in "customer-facing retail banking and credit card sites and mobile apps"

CNET (e.g. upload.cnet.com) according to CNET's article in Sources section below; Qualys claims upload.cnet.com currently not vulnerable to Heartbleed attack — BUT IS vulnerable to MITM attacks

Deseret Book (deseretbook.com / bookshelf.deseretbook.com): privately stated in an e-mail to me that "Deseret Book was not effected by the bug. We already had some security features in place so that we would not be vulnerable."  - Qualys claims currently not vulnerable to Heartbleed attack

deviantART (deviantart.com): LastPass claims site was not vulnerable; Qualys claims currently not vulnerable to Heartbleed attack

EDJOIN job site (edjoin.org): uses Microsoft IIS, not OpenSSL

eSellerate Affiliates (affiliates.esellerate.net): uses Microsoft IIS, not OpenSSL

Evernote (evernote.com): company statement - http://discussion.evernote.com/topic/56287-heartbleed/

F-Secure - see younited

FamilySearch (familysearch.org / new.familysearch.org): company statement - https://familysearch.org/campaign/heart-bleed - Qualys claims currently not vulnerable to Heartbleed attack (however, see Church of Jesus Christ of Latter-day Saints in the "Change Passwords NOW" section for other LDS sites)

Frontier Airlines (www.flyfrontier.com): uses Microsoft IIS, not OpenSSL

H&R Block (www.hrblock.com) according to CNNMoney, Mashable, and LastPass; statement to Mashable on 9 April 2014: "We are reviewing our systems and currently have found no risk to client data from this issue."

HealthCare.gov (www.healthcare.gov) according to CNNMoney, Mashable, and LastPass; statement to Mashable: "Healthcare.gov consumer accounts are not affected by this vulnerability."

Hotmail - see Microsoft

Hulu (secure.hulu.com) according to CNNMoney and LastPass; filippo.io/Heartbleed also confirms currently unaffected

iCloud - on CNNMoney's "Don't worry about these" list; see also Apple

Intuit - see TurboTax

IRS (irs.gov) according to CNNMoney, LastPass, and IRS statement at http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season

iTunes - on CNNMoney's "Don't worry about these" list; see also Apple

Kaiser Permanente (kaiserpermanente.org / healthy.kaiserpermanente.org / kp.org): privately stated in an e-mail to me on 13 April 2014 that "We have confirmed that kp.org, the website our members use to manage their care, is not vulnerable to the 'Heartbleed' bug. However, members may want to change their passwords periodically, a practice recommended by many online security experts." - Qualys claims the listed domains are currently not vulnerable to Heartbleed attack; however, it is a bit suspicious that the certificate for healthy.kaiserpermanente.org was reissued on 16 April 2014 after this statement was made - hints at possibly having been affected after all; when I followed up in early May, Kaiser responded, "We use several kinds of encryption protocols, in addition to the version of OpenSSL that has been identified as having the 'Heartbleed' vulnerability. After we learned of the new vulnerability, we immediately began assessing our data network and applying security patches where needed. However, it is important to note that kp.org, the website our members use to manage their care, is not vulnerable to the 'Heartbleed' bug." - it sounds like internal systems were affected and patched, but public-facing sites were not affected

LinkedIn (www.linkedin.com / www.slideshare.net) told Mashable, "We didn't use the offending implementation of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, HeartBleed does not present a risk to these web properties."

Mapquest, an AOL company - unaffected according to CNN/CNNMoney; note that parent company AOL is in the "Change Passwords NOW (but make sure you do it while connected to a trusted network)" category but not because of Heartbleed

McAfee customer login (secure.mcafee.com): uses Microsoft IIS, not OpenSSL

Microsoft (including Hotmail, MSN, and Outlook.com) according to CNNMoney and CNET

Monster job search (login.monster.com): uses Microsoft IIS, not OpenSSL

MSN - see Microsoft

National Marrow Donor Program (donors.marrow.org): uses Microsoft IIS, not OpenSSL

Newegg (secure.newegg.com): http://blog.newegg.com/heartbleed-bug-threatens-world-wide-web-newegg-remains-safe/ (Qualys claims currently not vulnerable to Heartbleed attack)

OpenDNS (opendns.com): http://labs.opendns.com/2014/04/09/hitting-ground-running/ (Qualys claims currently not vulnerable to Heartbleed attack)

Outlook.com - see Microsoft

Patreon donation site (www.patreon.com): LastPass says they run OpenSSL 1.0.1e (an affected version), but Qualys claims currently not vulnerable to Heartbleed attack (so presumably the heartbeat feature is disabled), while Filippo.io/Heartbleed can't seem to test the site; Patreon responded to me on 19 April 2014 stating that "Our dev team has run several tests and patreon.com is secure."

PayPal (www.paypal.com): Trend Micro claims currently not vulnerable to Heartbleed attack; LastPass claims was not previously vulnerable; note that parent company eBay is in the "Change Passwords NOW" category but not because of Heartbleed, and PayPal supposedly wasn't affected by that breach

Pearson VUE testing site (www1.pearsonvue.com and also www2., www6., www7., www8., and www9.): uses Microsoft IIS, not OpenSSL

proXPN OpenVPN provider (proxpn.com / support.proxpn.com) according to company statement at https://support.proxpn.com/index.php?/News/NewsItem/View/6/proxpn-and-the-openssl-heartbleed-vulnerability - "your service and personal information is not and was not compromised due to this vulnerability.  proXPN was not affected by this vulnerability, and have taken steps to ensure we never will." - another statement at https://twitter.com/proXPN/status/453778527561596928 explains that proXPN uses OpenSSL 1.0.0e which is unaffected; also, filippo.io/Heartbleed claims proXPN's site is currently not vulnerable to Heartbleed attack

Redbox (www.redbox.com): uses Microsoft IIS, not OpenSSL

SAS Institute (sas.com / login.sas.com): LastPass claims these domains were not vulnerable; Qualys claims currently not vulnerable to Heartbleed attack — BUT IS vulnerable to MITM attacks

Seattle Cancer Care Alliance (www.seattlecca.org / secure.seattlecca.org): uses Microsoft IIS, not OpenSSL

Spirit Airlines (spirit.com): uses Microsoft IIS, not OpenSSL

TaxACT (taxact.com) according to Mashable and LastPass; statement to Mashable: "Customers can update their passwords at any time, although we are not proactively advising them to do so at this time."

Thriftbooks.com online bookstore (thriftbooks.com): uses Microsoft IIS, not OpenSSL

TurboTax by Intuit (myturbotax.intuit.com / support.turbotax.intuit.com) according to CNNMoney, Mashable, and LastPass; filippo.io/Heartbleed also confirms currently unaffected

U.S. Bank (www.usbank.com) stated to Mashable, "We do not use OpenSSL for customer-facing, Internet banking channels, so U.S. Bank customer data is NOT at risk" (filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack)

US Airways (www.usairways.com): uses Microsoft IIS, not OpenSSL

younited by F-Secure (younited.com): company statement - http://blog.younited.com/2014/04/14/tldr-younited-is-not-vulnerable-to-heartbleed-but-action-may-be-needed/ (Qualys claims currently not vulnerable to Heartbleed attack)

Zazzle custom design shop (www.zazzle.com): uses Microsoft IIS, not OpenSSL



Further Notes and Explanations

When I say "now's the time to change it," I'm making the assumption that the Heartbleed bug was fixed on the server prior to when the new certificate was reissued.  Unfortunately, there doesn't seem to be a good way to tell whether this was the case, so we just have to trust that the sites did these things in the correct order.  The worst that could happen is that the old certificate was either never revoked (and thus it's theoretically possible for there to be a MITM) or was revoked after the new certificate was issued (which would mean there was a window when MITM attacks could occur, or MITM attacks could still occur now if your browser isn't checking for certificate revocation).

The best practice with passwords is to have a strong and completely unique password on every site, and for this reason some prefer to use a trusted, secure password management system.  You can either trust someone like LastPass or 1Password to manage passwords for you, or you could roll your own password management solution (for example, on Macs you could create a writable, encrypted disk image using Disk Utility and store all your passwords as folders on that disk, and unmount it whenever you're done retrieving a password from it).  I recommend generating passwords with https://www.grc.com/passwords.htm (an alternative is https://lastpass.com/generatepassword.php but it's not my personal preference)

Also, when I say, "certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM," I haven't verified whether the old certificate was just rekeyed instead of being reissued (and I'm not aware of an easy way to verify this). According to Filippo Valsorda at http://filippo.io/Heartbleed/faq.html - "a certificate can be re-keyed without dates being updated, and many CAs are doing this." To clarify, "theoretically may be spoofable by a MITM" means that a third party between you and the actual site (a "man in the middle") could intercept the connection without you knowing it. Another possible attack that has been demonstrated is that a stolen certificate can be used in conjunction with an attack on DNS (e.g. a HOSTS file redirect or DNS cache poisoning) to enable a fraudulent site (for example a phishing page) to appear perfectly valid and legitimate to the browser (jump to about 1:20:22 and watch/listen until about 1:25:21 in Security Now 451 at http://twit.tv/sn451 or see page 7 of the show notes https://www.grc.com/sn/sn-451-notes.pdf).

Lastly, and I haven't seen anyone else discuss this yet, sites that are currently running Microsoft IIS or some other unaffected platform may have been running an affected version of OpenSSL sometime within the past two years, and it would be difficult to find out without directly asking the system administrators for each site (and hoping they respond; I'm surprised that major news sites like CNET evidently never got a response from several major companies).  Obviously, that's a lot of work, but I'd guess that in most cases we can assume that if a site is running IIS now then they likely were running it prior to the discovery of the Heartbleed bug.


Other Lists of Current/Past Allegedly Affected Sites

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/
https://gist.github.com/dberkholz/10169691
http://www.ragic.com/heartbleed/heartbleed/1
http://www.netskope.com/blog/heartbleed-remediation-status-for-enterprise-cloud-apps/ (enterprise cloud apps; continues to be updated as of early May 2014)



Test Pages - How to Check Whether a Site Is/Was Vulnerable

For many of the domains in the lists above (particularly those that weren't on a list of reportedly affected sites, as far as I knew), I first used the LastPass Heartbleed Checker first, and then followed up by testing with Qualys SSL Labs (or occasionally another site if I was short on time). For most of the sites that were already on someone else's list as reportedly vulnerable, I mostly just tested with SSL Labs to see if they were still vulnerable.  If Qualys SSL Labs then identified a site as vulnerable to Heartbleed (which only happened a couple times), I double-checked those domains with Filippo Valsorda's Heartbleed test page for an additional confirmation.

Note that in some jurisdictions, scanning another site with one of these tools may be considered illegal. You may wish to check your local laws or consult with a lawyer before conducting any tests on a site you don't own. Remember, you can always contact the site's support and ask them whether their site has ever been affected by the Heartbleed vulnerability.

If you're testing sites on your own (especially domains not listed in this article), I recommend using LastPass Heartbleed Checker first, then Qualys SSL Labs second. To check e-mail servers (IMAP or SMTP), also use 1Password Watchtower third. If it isn't clear whether a site may have been vulnerable in the past, contact the site and ask.

https://lastpass.com/heartbleed/ (LastPass Heartbleed Checker; includes notes about past Heartbleed status of some domains; lists certificate validity dates)

https://www.ssllabs.com/ssltest/index.html (Qualys SSL Labs; comprehensive SSL/TLS tests including current Heartbleed status; lists certificate validity dates; does NOT include notes about past Heartbleed status of domains; also notifies if a site might be vulnerable to MITM attacks for other reasons)

https://filippo.io/Heartbleed/ (Filippo Valsorda's Heartbleed Test; only tests current Heartbleed status; does NOT include notes about past Heartbleed status of domains)

https://www.directpass.com/heartbleeddetector (Trend Micro Heartbleed Detector; like Filippo.io, it only tests current Heartbleed status; does NOT include notes about past Heartbleed status of domains)

https://watchtower.agilebits.com (1Password Watchtower; some status messages and recommendations on this site can be a bit confusing, but on the positive side, this service checks Secure IMAP and SMTP servers on ports 993 and 465 (not just HTTPS on port 443 like the other sites); only tests current Heartbleed status; does NOT include notes about past Heartbleed status of domains)



UPDATE, 15 May 2014: Moved Bitly to the list of passwords to change immediately (the site was recently hacked, unrelated to Heartbleed). Added link to Robert Graham's recent finding that 300,000 servers are still vulnerable.

UPDATE, 21 May 2014: Added eBay to the list of passwords to change immediately (the site was recently hacked, unrelated to Heartbleed). Added PayPal to Known Safe section. Hat tip: Graham Cluley http://grahamcluley.com/2014/05/ebay-confirms-security-breach-users-asked-change-passwords/


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, and follow me on Twitter and .

Windows XP's Death: Good Time to Switch to Apple?

Last month after Microsoft officially ended support for Windows XP and the company declared (somewhat misleadingly, it turns out) that it would never again release any more security updates for the nearly 13-year-old operating system, I wrote an article to help users decide whether it might be a good time to switch to an Apple product, especially a Mac or an iPad. Read the article, published by Intego at The Mac Security Blog:

Windows XP's Death: Good Time to Switch to Apple?

Of course, if you're geeky enough (or on a particularly tight budget), you could keep your old PC hardware and switch to Linux instead.

And don't forget, if you dual-boot your Mac or use Windows XP in a virtual machine (for example, Parallels Desktop, VMWare Fusion, or Oracle VirtualBox), it might be a good idea to upgrade to a currently supported version of Windows.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .

What to Do if Your Mac Can't Run OS X Mavericks

On the day after Mac OS X v10.9 Mavericks' public release in October 2013, I updated my extremely popular "What to Do if Your Mac Can't Run Mountain Lion" article and released a new version that applies to Mavericks.

If you've been trying to figure out whether your Mac is upgradeable, or if you already know it won't run OS X Mavericks and are wondering if there's anything you can do about it, check out my article over at The Mac Security Blog by Intego:

What to Do if Your Mac Can't Run OS X Mavericks


Another article I wrote at the end of August 2013 describes Apple's most recent update to its XProtect "Safe Downloads List" at the time, which bumped the minimum allowed versions of the Oracle Java browser plug-in:

Apple Updates XProtect to Block Vulnerable Java Versions

Since that article was published, the minimum allowed version of the Adobe Flash Player browser plug-in was increased to 11.8.800.94 on September 10th and again to 12.0.0.44 on February 5th. Although critical security updates have been released for Flash Player since then, Apple still has not increased the minimum allowed version of Flash Player. The current version as of today is 13.0.0.206, which was released one week ago on April 28, 2014 to patch a critical zero-day vulnerability that was actively being exploited in the wild on Windows systems.


For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter or .