I don't have time to write up a detailed article describing the Heartbleed vulnerability, but plenty has been written about it elsewhere. Suffice it to say that it almost certainly affected sites you've used within the past two years, and you need to change some of your passwords. This article should help you determine which of your passwords you may need to change.
Contrary to the popular belief that the Heartbleed vulnerability was first discovered in March or April 2014, there's evidence that it was being exploited in November 2013, if not earlier. There's also a myth that Heartbleed doesn't affect users of Apple products, which is false; see Graham Cluley's Heartbleed OpenSSL bug FAQ for Mac, iPhone and iPad users for some basic factual information.
A handful of major news sites have put together small lists of Web sites whose users should change their passwords, but I've found these lists to be quite lacking, so I decided to put together my own. I've been compiling this list for almost a month; it's big, so it took a lot of time. This list includes some exclusives that I haven't seen anywhere else.
Given the enormity of this list, I strongly recommend that you search within this page for any sites you use, rather than trying to look through it alphabetically. Please note that there are several sections. Be sure to especially look at the first two sections; if you use any sites listed in those sections, you'll want to change your passwords for those sites (and anywhere else you may have shared the same password) as soon as possible.
If you search this article and can't find a particular site, see the section at the bottom of this article which explains how you can conduct your own Heartbleed tests. (Note that over a month after the Heartbleed vulnerability was disclosed to the public, over 300,000 servers are reportedly still vulnerable to Heartbleed attacks, so there's a decent chance that a server you use isn't on anyone's list, no matter how comprehensive the list may seem.)
Change Passwords NOW:
Amazon Web Services (AWS) e.g. EC2, S3, etc. (aws.amazon.com): company statement - https://aws.amazon.com/security/security-bulletins/aws-services-updated-to-address-openssl-vulnerability/ - according to Mashable, "Elastic Load Balancing, Amazon EC2, Amazon Linux AMI, Red Hat Enterprise Linux, Ubuntu, AWS OpsWorks, AWS Elastic Beanstalk and Amazon CloudFront were patched" - filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it - NOTE that the Amazon.com shopping site was unaffected by Heartbleed
App.net (app.net / account.app.net / alpha.app.net / join.app.net): company statement - http://blog.app.net/2014/04/10/openssl-heartbleed-vulnerability-update/ - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Ars Technica (arstechnica.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Barracuda Networks - see Copy
Bitly (bitly.com / bit.ly): Qualys claims currently not vulnerable to Heartbleed attack; however, Bitly announced in early May 2014 that its system was breached (presumably unrelated to the Heartbleed bug), so the company recommends changing passwords and other account settings as outlined at https://bit.ly/SecurityDetails
Bizrate (bizrate.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Blogger/Blogspot - see Google
Box (box.com): company statement - https://blog.box.com/2014/04/box-protection-against-openssl-heartbleed-vulnerability/ - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
The Church of Jesus Christ of Latter-day Saints (lds.org / signin.lds.org / mormonorg.lds.org / edge.mormoncdn.org etc.): LastPass says lds.org doesn't use OpenSSL but signin.lds.org does (it's unclear whether the site ever used a vulnerable version); new certificates after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys and Trend Micro claim currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Copy cloud storage by Barracuda Networks (copy.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
comiXology (www.comixology.com): currently/previously on dberkholz's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
CrashPlan (crashplan.com): company statement - https://helpdesk.code42.com/entries/50328933-Code42-Products-and-the-Heartbleed-Bug (an e-mail was also sent to users on 15 April 2014 stating "As a precautionary measure, we recommend that all users update their CrashPlan passwords. It's not necessary to change your private password, nor your custom 448-bit key (if you are using these advanced security features)." - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
custhelp.com by Oracle (247pearsoned.custhelp.com / penguingroup.custhelp.com etc.): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Dashlane (www.dashlane.com) patched its servers and revoked its old certificates; they claim you don't need to change your password, but you should change it anyway
DirectPass from Trend Micro (www.directpass.com): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; LastPass says "known [to] use OpenSSL" so it could potentially have been affected in the past; however, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Dropbox (dropbox.com / dl.dropbox.com / getdropbox.com / dl.dropboxusercontent.com): new certificate after Heartbleed publicly disclosed; company statement - https://twitter.com/dropbox_support/status/453673783480832000
Duke University (duke.edu): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Dynadot domain name registrar (dynadot.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
eBay (signin.ebay.com / signin.ebay.ca / signin.ebay.co.uk): Trend Micro claims currently not vulnerable to Heartbleed attack; LastPass claims signin.ebay.com was not previously vulnerable, and signin.ebay.co.uk and signin.ebay.ca use OpenSSL and may possibly have been vulnerable in the past but have recently updated certificates; however, eBay announced on 21 May 2014 that its system was breached (presumably unrelated to the Heartbleed bug), so the company recommends changing passwords immediately; official statement at https://www.paypal-community.com/t5/PayPal-Forward/eBay-To-Ask-Users-to-Change-Their-Passwords-No-Evidence-PayPal/ba-p/815612 - meanwhile, eBay subsidiary PayPal was supposedly unaffected; see also PayPal in the "Known Safe" section
Facebook (facebook.com): company stated, "We added protections for Facebook's implementation of OpenSSL before this issue was publicly disclosed. ... we encourage people to ... set up a unique password." When exactly did Facebook add protections? Current certificate was issued March 1st, more than a month before public Heartbleed disclosure; note, however, that there's been evidence that the vulnerability was being exploited prior to public disclosure, so it would be wise to change your Facebook password now
Fitbit (fitbit.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Flickr - see Yahoo!
Get Satisfaction (getsatisfaction.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
GitHub (github.com): company statement - https://github.com/blog/1818-security-heartbleed-vulnerability - new certificate after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
GoDaddy domain name registrar (godaddy.com): company statement - http://godaddyblog.com/open-ssl-heartbleed-weve-patched-servers/ - Qualys claims that the primary domain godaddy.com (which is supposedly running Microsoft IIS, not OpenSSL, according to LastPass Heartbleed Checker) currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Google (including google.com search / blogger.com and blogspot.com / youtube.com / Gmail mail.google.com / Google Play Store play.google.com / Google Wallet checkout.google.com / Google Apps / Google App Engine appengine.google.com / developers.google.com / cloud.google.com etc.): company statement according to Mashable - "We have assessed the SSL vulnerability and applied patches to key Google services."
Gravatar (secure.gravatar.com): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected
Great Lakes student loans (mygreatlakes.org): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected
IFTTT "if this then that" (ifttt.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Instagram, a Facebook company (instagram.com): company statement to Mashable: "Our security teams worked quickly on a fix... because this event impacted many services across the web, we recommend you update your password on Instagram and other sites, particularly if you use the same password on multiple sites."
Jehovah's Witnesses - see Watch Tower Bible and Tract Society
LastPass (lastpass.com) servers were affected and patched; although the company says you don't need to change your master password, if you've ever logged into your account on their site it would be a good idea to change your LastPass account password
LDS - see Church of Jesus Christ of Latter-day Saints
Libsyn (libsyn.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Mormon - see Church of Jesus Christ of Latter-day Saints
Netflix (netflix.com): from company statement to Mashable - "we took immediate action to assess the vulnerability and address it. ... It's a good practice to change passwords from time to time, now would be a good time to think about doing so."
Network Solutions (networksolutions.com) claims in a statement
from 9 April 2014
(https://www.networksolutions.com/blog/2014/04/notice-to-web-com-network-solutions-and-register-com-customers-about-the-heartbleed-vulnerability/)
that its systems have been patched
OkCupid (okcupid.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Pinterest (pinterest.com): from company statement to Mashable - "We fixed the issue on Pinterest.com... To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords." Better advice: change it now, regardless of whether you get an e-mail.
ReadWrite (readwrite.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Reddit (reddit.com / pay.reddit.com): new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims pay.reddit.com is currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
ReverbNation (reverbnation.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Rockstar Games (socialclub.rockstargames.com / support.rockstargames.com): company statement - https://support.rockstargames.com/hc/en-us/articles/202393788-Effect-of-Heartbleed-Security-Issue-on-Rockstar-Social-Club-Members - not all certificates used by this company appear to have been reissued after Heartbleed publicly disclosed (although non-reissued certificates might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Scoop.it (scoop.it): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Shopzilla (shopzilla.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Skrill online payment site (skrill.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Smashwords (smashwords.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
SoundCloud (soundcloud.com): on Mashable's list; also notifying logged-in users that a password change is recommended due to Heartbleed bug, so change it now
Sourceforge (sourceforge.net) was only partially affected: "the only vulnerable service was SourceForge's Subversion over HTTPS on Allura (svn.code.sourceforge.net)" http://sourceforge.net/blog/sourceforge-response-to-heartbleed/ - if you think you may have used svn.code.sourceforge.net within the past two years, read the full company statement and change your password (the certificate for *.code.sourceforge.net has been reissued)
Squidoo (squidoo.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Steam gaming site by Valve (steamcommunity.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Toshiba (toshiba.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Trend Micro - see DirectPass
Tumblr - see Yahoo!
Twitter initially claimed to be unaffected (http://status.twitter.com/post/82109064906/ssl-security-update) but later told Mashable it had applied a patch; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Unity Technologies (unity3d.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
University of California, Los Angeles aka UCLA (ucla.edu / gateway.it.ucla.edu): ucla.edu currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
University of Illinois at Urbana-Champaign (uiuc.edu / uofi.illinois.edu / uofi.uic.edu / uofi.uis.edu / illinois.edu / uofi.uillinois.edu): uiuc.edu currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
University of Maryland (umd.edu): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
USAA banking/insurance (usaa.com): company statement at https://communities.usaa.com/t5/USAA-News/USAA-Takes-Measures-Against-Heartbleed-Bug/ba-p/25876 says "A security patch was implemented...and...we have obtained new certificates for usaa.com... we recommend members periodically change their passwords, especially when there is a known vulnerability, and use a unique password for each site"
VUDU (my.vudu.com): vudu.com currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Watch Tower Bible and Tract Society (www.jw.org / watchtower.org / watchtower.com): watchtower.com currently/previously on Ragic's list of supposedly affected sites (even though it doesn't appear to accept HTTPS connections); www.jw.org has a new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims www.jw.org currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Wikipedia and other Wikimedia sites (wikipedia.org / wikimedia.org / wikibooks.org / wikidata.org / wikinews.org / wikiquote.org / wikisource.org / wiktionary.org / mediawiki.org): company statement at https://blog.wikimedia.org/2014/04/10/wikimedias-response-to-the-heartbleed-security-vulnerability/ explains that their SSL certificate provider keeps the original "not valid before" date on replaced certificates; Qualys claims currently not vulnerable to Heartbleed attack, so if you have an account at wikipedia.org or its sister sites, now's the time to change your password
Wikispaces (wikispaces.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Yahoo! (including Flickr flickr.com / Tumblr tumblr.com / Yahoo! Mail mail.yahoo.com / login.yahoo.com etc.) - Mashable states that "Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched"; new certificates after Heartbleed publicly disclosed; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
YouTube - see Google
Zendesk (zendesk.com): company statement - https://support.zendesk.com/entries/50648937 - excerpt: "we strongly recommend that you regenerate your Zendesk hosted SSL certificate and reset all user passwords"
ZergNet (zergnet.com): currently/previously on Ragic's list of supposedly affected sites; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now's the time to change it
Change Passwords NOW (but make sure you do it while connected to a trusted network):
Advertising Age (adage.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
AddThis (addthis.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Airbnb (www.airbnb.com): on CNNMoney's list of passwords to change; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Answers - see ResellerRatings
AOL (my.screenname.aol.com / mail.aol.com / webmail.aol.com / beta.mail.aol.com): "AOL told Mashable it was not running the vulnerable version"; Qualys claims the listed domains are currently not vulnerable to Heartbleed attack; however, AOL announced on 28 April 2014 that its encrypted passwords database was breached (presumably unrelated to the Heartbleed bug), so the company recommends changing passwords immediately at https://account.aol.com - I've put this in the "make sure you do it while connected to a trusted network" section because AOL is notorious for not maintaining an HTTPS connection on all pages after logging in
archive.org - see Internet Archive
The Atlantic (theatlantic.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Beliefnet (beliefnet.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Bio - A&E Biography (biography.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
BitTorrent (bittorrent.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Blip (blip.tv): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Buenos Aires Ciudad - government site in Argentina (id.buenosaires.gob.ar): "buenosaires.gob.ar" currently/previously on Ragic's list of supposedly affected sites; id.buenosaires.gob.ar certificate was NOT reissued after Heartbleed was publicly disclosed - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Cheezburger (cheezburger.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Chess.com (chess.com): currently/previously on dberkholz's list of supposedly affected sites; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
The Christian Post (christianpost.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Creative Commons (creativecommons.org): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Daily Mail (www.dailymail.co.uk / secured.dailymail.co.uk): on CNET's "Be on alert" list, and has not responded to CNET's request for comment; new certificate after Heartbleed publicly disclosed - hints at possibly having been affected; Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else (note that the login page itself isn't encrypted, so you'll want to change your password while connected to a trusted network, and don't give any sensitive information to this site)
Deseret News (deseretnews.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Drugs.com (drugs.com): currently/previously on dberkholz's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
DuckDuckGo search engine (duckduckgo.com / duck.co): duckduckgo.com currently/previously on Ragic's list of supposedly affected sites; new certificate for duckduckgo.com after Heartbleed publicly disclosed - hints at possibly having been affected; duck.co certificate was NOT reissued after Heartbleed was publicly disclosed - theoretically may be spoofable by a MITM; nevertheless, Qualys claims both domains currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
The Economist (economist.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
EdgeCast CDN (edgecastcdn.net): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Eventbrite (eventbrite.com / eventbrite.co.uk etc.): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Fark (fark.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
FatWallet (fatwallet.com): currently/previously on Ragic's list of supposedly affected sites; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Favstar (favstar.fm): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Fixya (www.fixya.com): ssllabs said vulnerable until I tested again on 13 April 2014 at 18:43 UTC; previously on dberkholz's list of affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, ssllabs & filippo.io/Heartbleed both indicate it's no longer vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
fool.com - see Motley Fool
Friend or Follow (friendorfollow.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
The Heritage Foundation (secure.heritage.org): "heritage.org" currently/previously on Ragic's list of supposedly affected sites; secure.heritage.org certificate was NOT reissued after Heartbleed was publicly disclosed - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Hide My Ass (hidemyass.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Imgur (imgur.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Indiegogo (indiegogo.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Internet Archive (archive.org): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Kaspersky (kaspersky.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Lonely Planet (lonelyplanet.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
mail.com: currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Merriam-Webster (secure.merriam-webster.com): "m-w.com" currently/previously on Ragic's list of supposedly affected sites; secure.merriam-webster.com certificate was reissued on 4 April 2014, after Heartbleed was disclosed but PRIOR to when OpenSSL 1.0.1g was released on 7 April - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
The Motley Fool (fool.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
National Journal (nationaljournal.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
North Carolina State University (ncsu.edu): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Outbrain (outbrain.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Path (path.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
The PHP Group (php.net): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
phpBB (phpbb.com): currently/previously on Ragic's list of supposedly affected sites; certificate was reissued on 5 April 2014, after Heartbleed was disclosed but PRIOR to when OpenSSL 1.0.1g was released on 7 April - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
phpnuke (phpnuke.org): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
PicMonkey (picmonkey.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
RapidShare (rapidshare.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Remember The Milk (rememberthemilk.com): currently/previously on Ragic's list of supposedly affected sites; not all certificates used by this domain appear to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
ResellerRatings by Answers (resellerratings.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Rolling Stone (rollingstone.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
SoftCoin branding and coupons (softcoin.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Squarespace (static.squarespace.com): Squarespace claims "All public-facing Squarespace services are safe and not vulnerable to the #heartbleed TLS vulnerability" https://twitter.com/Squarespace/status/453690949005094912 - you can supposedly e-mail [email protected] for "full details" - however, currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Stack Exchange (stackexchange.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
State Government of Victoria (vic.gov.au): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
The Street (thestreet.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Twitpic (twitpic.com): ssllabs said vulnerable until I tested again on 15 April 2014 at 05:19 UTC; previously on dberkholz's list of affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, ssllabs & filippo.io/Heartbleed both indicate it's no longer vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Userscripts.org (userscripts.org): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Us Weekly (usmagazine.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
uTorrent (utorrent.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Victoria government site - see State Government of Victoria
Vocabulary.com (vocabulary.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Webster's Dictionary - see Merriam-Webster
Zagat (zagat.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Zap2it (zap2it.com): currently/previously on Ragic's list of supposedly affected sites; certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM; nevertheless, Qualys claims currently not vulnerable to Heartbleed attack, so if you have a password at this site now may be a good time to change it to a new password you don't use anywhere else
Unknown/Ambiguous:
I'm not aware of public statements made by these companies, and their certificates haven't been replaced since Heartbleed became public knowledge, but they're not currently vulnerable according to SSLLabs
A&E - see History Channel
AbeBooks (abebooks.com): Qualys claims currently not vulnerable to Heartbleed attack
about.me: Qualys claims currently not vulnerable to Heartbleed attack; note that parent company AOL is in the "Change Passwords NOW (but make sure you do it while connected to a trusted network)" category but not because of Heartbleed
Alaska Airlines (alaskaair.com / www.alaskaair.com / webselfservice.alaskaair.com): Qualys claims currently not vulnerable to Heartbleed attack
Allegiance feedback site (www.allegiancetech.com - used for the feedback page on mormon.org and other sites)
American Airlines (aa.com): Qualys claims currently not vulnerable to Heartbleed attack
American InterContinental University Online (aiuonline.edu): Qualys claims currently not vulnerable to Heartbleed attack
BabyCenter (babycenter.com): Qualys claims currently not vulnerable to Heartbleed attack
Barack Obama (login.barackobama.com): Qualys claims currently not vulnerable to Heartbleed attack
Burrtec Waste Industries - see MyOnlineBill.com
CafePress (cafepress.com / members.cafepress.com): Qualys claims currently not vulnerable to Heartbleed attack
Catholic Online e-mail (webmail.catholic.org): Qualys claims currently not vulnerable to Heartbleed attack, but LastPass says "known [to] use OpenSSL" so it could potentially have been affected in the past
Charter Communications e-mail (web.charter.net): Qualys claims currently not vulnerable to Heartbleed attack
Convio nonprofit donation site by Blackbaud (secure2.convio.net): Qualys claims currently not vulnerable to Heartbleed attack, but LastPass says "known [to] use OpenSSL" so it could potentially have been affected in the past
Costco (costco.com): Qualys claims currently not vulnerable to Heartbleed attack
Delicious bookmarking site (delicious.com, formerly del.icio.us): LastPast says this site is "known [to] use OpenSSL" but filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack; I e-mailed company on 12 April 2014 and have not received any statement
Delta Air Lines (www.delta.com): Qualys claims currently not vulnerable to Heartbleed attack
Delta Dental Insurance (deltadentalins.com): Qualys claims currently not vulnerable to Heartbleed attack
Department of Motor Vehicles, California (dmv.ca.gov): Qualys claims currently not vulnerable to Heartbleed attack
Disney login/registration (register.go.com / registerdisney.go.com): Qualys claims currently not vulnerable to Heartbleed attack
E*TRADE (etrade.com / us.etrade.com): Qualys claims currently not vulnerable to Heartbleed attack; LastPass claims E*TRADE was not vulnerable to Heartbleed (but doesn't really offer evidence to support this assertion); on CNNMoney's list of supposedly unaffected sites; public statement to Mashable on 9 April 2014 was that the company was "still investigating"
eSellerate (mycommerce.com): Qualys claims currently not vulnerable to Heartbleed attack
FAFSA financial aid (fafsa.ed.gov): Qualys claims currently not vulnerable to Heartbleed attack
FriendFeed (friendfeed.com): Qualys claims currently not vulnerable to Heartbleed attack
Gazelle (gazelle.com): Qualys claims currently not vulnerable to Heartbleed attack
Hawaiian Airlines (apps.hawaiianairlines.com): Qualys claims currently not vulnerable to Heartbleed attack
History Channel / A&E Television Networks shopping (secure.history.com): Qualys claims currently not vulnerable to Heartbleed attack
JetBlue Airways (book.jetblue.com): Qualys claims currently not vulnerable to Heartbleed attack
LegitScript online pharmacy legitimacy verification (secure.legitscript.com): Qualys claims currently not vulnerable to Heartbleed attack
McAfee support site (mysupport.mcafee.com): Qualys claims currently not vulnerable to Heartbleed attack
mint.com (Qualys claims currently not vulnerable to Heartbleed attack)
MyOnlineBill.com bill payment site used by waste disposal (e.g. Burrtec) and insurance companies (app.myonlinebill.com): Qualys claims currently not vulnerable to Heartbleed attack
MySpace (myspace.com): Qualys claims currently not vulnerable to Heartbleed attack; I e-mailed company on 12 April 2014 and have received no response
Northcentral University (learners.ncu.edu): Qualys claims currently not vulnerable to Heartbleed attack
Norton / Symantec (account.norton.com / login.norton.com): Qualys claims currently not vulnerable to Heartbleed attack
Pacific Gas and Electric (www.pge.com): Qualys claims currently not vulnerable to Heartbleed attack
Patient Compass hospital bill payment (patientcompass.com): Qualys claims currently not vulnerable to Heartbleed attack
Plurk (plurk.com): Qualys claims currently not vulnerable to Heartbleed attack
ProtectMyID identity theft monitoring - offered to Target customers after holiday 2013 breach (protectmyid.com): Qualys claims currently not vulnerable to Heartbleed attack
Safeway grocery store (auth.safeway.com): Qualys claims currently not vulnerable to Heartbleed attack
Slashdot (slashdot.org): Qualys claims currently not vulnerable to Heartbleed attack
Snapchat (support.snapchat.com): Qualys claims currently not vulnerable to Heartbleed attack
Southern California Edison (sce.com): Qualys claims currently not vulnerable to Heartbleed attack
Southern California Gas Company (myaccount.socalgas.com): Qualys claims currently not vulnerable to Heartbleed attack
Southwest Airlines (www.southwest.com): Qualys claims currently not vulnerable to Heartbleed attack — BUT may be vulnerable to MITM attacks
Spotify (spotify.com): Qualys claims currently not vulnerable to Heartbleed attack
StumbleUpon (stumbleupon.com): Qualys claims currently not vulnerable to Heartbleed attack
Symantec - see Norton
Target theft monitoring partner - see ProtectMyID
Time Warner Cable (twlax.convergentcare.com): Qualys claims currently not vulnerable to Heartbleed attack
United Airlines (www.united.com): Qualys claims currently not vulnerable to Heartbleed attack
United Stated Postal Service (usps.com): Qualys claims currently not vulnerable to Heartbleed attack — BUT IS vulnerable to MITM attacks
University of Phoenix (www.phoenix.edu / ecampus.phoenix.edu): Qualys claims currently not vulnerable to Heartbleed attack — BUT ecampus subdomain IS vulnerable to MITM attacks
Upromise (lty.s.upromise.com): Qualys claims currently not vulnerable to Heartbleed attack
Verizon - not Wireless (signin.verizon.com): Qualys claims currently not vulnerable to Heartbleed attack
Verizon Wireless (login.verizonwireless.com): Qualys claims currently not vulnerable to Heartbleed attack
Virgin America airline (virginamerica.com): Qualys claims currently not vulnerable to Heartbleed attack
VirusShare.com (virusshare.com): Qualys claims currently not vulnerable to Heartbleed attack
VirusTotal (www.virustotal.com): Qualys claims currently not vulnerable to Heartbleed attack
Vons grocery store (rss.vons.com): Qualys claims currently not vulnerable to Heartbleed attack
Web of Trust (mywot.com): Qualys claims currently not vulnerable to Heartbleed attack
Known Safe - No Password Change Needed (according to the company and/or third-party tests):
AirTran Airways (ebyepass.airtran.com): uses Microsoft IIS, not OpenSSL
Amazon (www.amazon.com) told Mashable, "Amazon.com is not affected" - also on CNET and CNNMoney safe lists - filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack - HOWEVER, note that the separate site Amazon Web Services is in the "Change Passwords NOW" section; see also comiXology which is a recently acquired Amazon property that's also in the "Change Passwords NOW" section
American Express (online.americanexpress.com): Qualys claims currently not vulnerable to Heartbleed attack; LastPass claims AmEx was not vulnerable to Heartbleed (but doesn't really offer evidence to support this assertion); AmEx told Mashable, "There was no compromise of any customer data. While we are not requiring customers to take any specific action at this time, it is a good security practice to regularly update Internet passwords."
Ancestry.com (secure.ancestry.com): uses Microsoft IIS, not OpenSSL
Apple (bugreport.apple.com / idmsa.apple.com / lists.apple.com / ssl.apple.com etc.): Mashable says Apple claims "key Web-based services were not affected"; Qualys claims the listed domains are currently not vulnerable to Heartbleed attack (however, it is a bit suspicious that the certificate for ssl.apple.com was reissued on 16 April 2014 even though the old certificate wasn't due to expire until November 2015, according to the Firefox add-on Certificate Patrol)
Bank of America (www.bankofamerica.com) told Mashable, "A majority of our platforms do NOT use OpenSSL, and the ones that do, we have confirmed no vulnerabilities."
BECU credit union (www.becu.org): uses Microsoft IIS, not OpenSSL (also on CNNMoney's "Don't worry about these" list)
Capital One bank (www.capitalone.com) told Mashable, "Capital One uses a version of encryption that is not vulnerable to Heartbleed" (filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack)
Charter Communications billing (myaccount.charter.com): uses Microsoft IIS, not OpenSSL
Chase bank (www.chase.com) told Mashable, "These sites [which?] don't use the encryption software that is vulnerable to the Heartbleed bug."
Citibank / Citigroup (online.citibank.com / www.citigroup.com): Citigroup told Mashable that it doesn't use OpenSSL in "customer-facing retail banking and credit card sites and mobile apps"
CNET (e.g. upload.cnet.com) according to CNET's article in Sources section below; Qualys claims upload.cnet.com currently not vulnerable to Heartbleed attack — BUT IS vulnerable to MITM attacks
Deseret Book (deseretbook.com / bookshelf.deseretbook.com): privately stated in an e-mail to me that "Deseret Book was not effected by the bug. We already had some security features in place so that we would not be vulnerable." - Qualys claims currently not vulnerable to Heartbleed attack
deviantART (deviantart.com): LastPass claims site was not vulnerable; Qualys claims currently not vulnerable to Heartbleed attack
EDJOIN job site (edjoin.org): uses Microsoft IIS, not OpenSSL
eSellerate Affiliates (affiliates.esellerate.net): uses Microsoft IIS, not OpenSSL
Evernote (evernote.com): company statement - http://discussion.evernote.com/topic/56287-heartbleed/
F-Secure - see younited
FamilySearch (familysearch.org / new.familysearch.org): company statement - https://familysearch.org/campaign/heart-bleed - Qualys claims currently not vulnerable to Heartbleed attack (however, see Church of Jesus Christ of Latter-day Saints in the "Change Passwords NOW" section for other LDS sites)
Frontier Airlines (www.flyfrontier.com): uses Microsoft IIS, not OpenSSL
H&R Block (www.hrblock.com) according to CNNMoney, Mashable, and LastPass; statement to Mashable on 9 April 2014: "We are reviewing our systems and currently have found no risk to client data from this issue."
HealthCare.gov (www.healthcare.gov) according to CNNMoney, Mashable, and LastPass; statement to Mashable: "Healthcare.gov consumer accounts are not affected by this vulnerability."
Hotmail - see Microsoft
Hulu (secure.hulu.com) according to CNNMoney and LastPass; filippo.io/Heartbleed also confirms currently unaffected
iCloud - on CNNMoney's "Don't worry about these" list; see also Apple
Intuit - see TurboTax
IRS (irs.gov) according to CNNMoney, LastPass, and IRS statement at http://www.irs.gov/uac/Newsroom/IRS-Statement-on-Heartbleed-and-Filing-Season
iTunes - on CNNMoney's "Don't worry about these" list; see also Apple
Kaiser Permanente (kaiserpermanente.org / healthy.kaiserpermanente.org / kp.org): privately stated in an e-mail to me on 13 April 2014 that "We have confirmed that kp.org, the website our members use to manage their care, is not vulnerable to the 'Heartbleed' bug. However, members may want to change their passwords periodically, a practice recommended by many online security experts." - Qualys claims the listed domains are currently not vulnerable to Heartbleed attack; however, it is a bit suspicious that the certificate for healthy.kaiserpermanente.org was reissued on 16 April 2014 after this statement was made - hints at possibly having been affected after all; when I followed up in early May, Kaiser responded, "We use several kinds of encryption protocols, in addition to the version of OpenSSL that has been identified as having the 'Heartbleed' vulnerability. After we learned of the new vulnerability, we immediately began assessing our data network and applying security patches where needed. However, it is important to note that kp.org, the website our members use to manage their care, is not vulnerable to the 'Heartbleed' bug." - it sounds like internal systems were affected and patched, but public-facing sites were not affected
LinkedIn (www.linkedin.com / www.slideshare.net) told Mashable, "We didn't use the offending implementation of OpenSSL in www.linkedin.com or www.slideshare.net. As a result, HeartBleed does not present a risk to these web properties."
Mapquest, an AOL company - unaffected according to CNN/CNNMoney; note that parent company AOL is in the "Change Passwords NOW (but make sure you do it while connected to a trusted network)" category but not because of Heartbleed
McAfee customer login (secure.mcafee.com): uses Microsoft IIS, not OpenSSL
Microsoft (including Hotmail, MSN, and Outlook.com) according to CNNMoney and CNET
Monster job search (login.monster.com): uses Microsoft IIS, not OpenSSL
MSN - see Microsoft
National Marrow Donor Program (donors.marrow.org): uses Microsoft IIS, not OpenSSL
Newegg (secure.newegg.com): http://blog.newegg.com/heartbleed-bug-threatens-world-wide-web-newegg-remains-safe/ (Qualys claims currently not vulnerable to Heartbleed attack)
OpenDNS (opendns.com): http://labs.opendns.com/2014/04/09/hitting-ground-running/ (Qualys claims currently not vulnerable to Heartbleed attack)
Outlook.com - see Microsoft
Patreon donation site (www.patreon.com): LastPass says they run OpenSSL 1.0.1e (an affected version), but Qualys claims currently not vulnerable to Heartbleed attack (so presumably the heartbeat feature is disabled), while Filippo.io/Heartbleed can't seem to test the site; Patreon responded to me on 19 April 2014 stating that "Our dev team has run several tests and patreon.com is secure."
PayPal (www.paypal.com): Trend Micro claims currently not vulnerable to Heartbleed attack; LastPass claims was not previously vulnerable; note that parent company eBay is in the "Change Passwords NOW" category but not because of Heartbleed, and PayPal supposedly wasn't affected by that breach
Pearson VUE testing site (www1.pearsonvue.com and also www2., www6., www7., www8., and www9.): uses Microsoft IIS, not OpenSSL
proXPN OpenVPN provider (proxpn.com / support.proxpn.com) according to company statement at https://support.proxpn.com/index.php?/News/NewsItem/View/6/proxpn-and-the-openssl-heartbleed-vulnerability - "your service and personal information is not and was not compromised due to this vulnerability. proXPN was not affected by this vulnerability, and have taken steps to ensure we never will." - another statement at https://twitter.com/proXPN/status/453778527561596928 explains that proXPN uses OpenSSL 1.0.0e which is unaffected; also, filippo.io/Heartbleed claims proXPN's site is currently not vulnerable to Heartbleed attack
Redbox (www.redbox.com): uses Microsoft IIS, not OpenSSL
SAS Institute (sas.com / login.sas.com): LastPass claims these domains were not vulnerable; Qualys claims currently not vulnerable to Heartbleed attack — BUT IS vulnerable to MITM attacks
Seattle Cancer Care Alliance (www.seattlecca.org / secure.seattlecca.org): uses Microsoft IIS, not OpenSSL
Spirit Airlines (spirit.com): uses Microsoft IIS, not OpenSSL
TaxACT (taxact.com) according to Mashable and LastPass; statement to Mashable: "Customers can update their passwords at any time, although we are not proactively advising them to do so at this time."
Thriftbooks.com online bookstore (thriftbooks.com): uses Microsoft IIS, not OpenSSL
TurboTax by Intuit (myturbotax.intuit.com / support.turbotax.intuit.com) according to CNNMoney, Mashable, and LastPass; filippo.io/Heartbleed also confirms currently unaffected
U.S. Bank (www.usbank.com) stated to Mashable, "We do not use OpenSSL for customer-facing, Internet banking channels, so U.S. Bank customer data is NOT at risk" (filippo.io/Heartbleed claims currently not vulnerable to Heartbleed attack)
US Airways (www.usairways.com): uses Microsoft IIS, not OpenSSL
younited by F-Secure (younited.com): company statement - http://blog.younited.com/2014/04/14/tldr-younited-is-not-vulnerable-to-heartbleed-but-action-may-be-needed/ (Qualys claims currently not vulnerable to Heartbleed attack)
Zazzle custom design shop (www.zazzle.com): uses Microsoft IIS, not OpenSSL
Further Notes and Explanations
When I say "now's the time to change it," I'm making the assumption that the Heartbleed bug was fixed on the server prior to when the new certificate was reissued. Unfortunately, there doesn't seem to be a good way to tell whether this was the case, so we just have to trust that the sites did these things in the correct order. The worst that could happen is that the old certificate was either never revoked (and thus it's theoretically possible for there to be a MITM) or was revoked after the new certificate was issued (which would mean there was a window when MITM attacks could occur, or MITM attacks could still occur now if your browser isn't checking for certificate revocation).
The best practice with passwords is to have a strong and completely unique password on every site, and for this reason some prefer to use a trusted, secure password management system. You can either trust someone like LastPass or 1Password to manage passwords for you, or you could roll your own password management solution (for example, on Macs you could create a writable, encrypted disk image using Disk Utility and store all your passwords as folders on that disk, and unmount it whenever you're done retrieving a password from it). I recommend generating passwords with https://www.grc.com/passwords.htm (an alternative is https://lastpass.com/generatepassword.php but it's not my personal preference)
Also, when I say, "certificate appears NOT to have been reissued after Heartbleed publicly disclosed (although it might have been rekeyed while retaining the same date) - theoretically may be spoofable by a MITM," I haven't verified whether the old certificate was just rekeyed instead of being reissued (and I'm not aware of an easy way to verify this). According to Filippo Valsorda at http://filippo.io/Heartbleed/faq.html - "a certificate can be re-keyed without dates being updated, and many CAs are doing this." To clarify, "theoretically may be spoofable by a MITM" means that a third party between you and the actual site (a "man in the middle") could intercept the connection without you knowing it. Another possible attack that has been demonstrated is that a stolen certificate can be used in conjunction with an attack on DNS (e.g. a HOSTS file redirect or DNS cache poisoning) to enable a fraudulent site (for example a phishing page) to appear perfectly valid and legitimate to the browser (jump to about 1:20:22 and watch/listen until about 1:25:21 in Security Now 451 at http://twit.tv/sn451 or see page 7 of the show notes https://www.grc.com/sn/sn-451-notes.pdf).
Lastly, and I haven't seen anyone else discuss this yet, sites that are currently running Microsoft IIS or some other unaffected platform may have been running an affected version of OpenSSL sometime within the past two years, and it would be difficult to find out without directly asking the system administrators for each site (and hoping they respond; I'm surprised that major news sites like CNET evidently never got a response from several major companies). Obviously, that's a lot of work, but I'd guess that in most cases we can assume that if a site is running IIS now then they likely were running it prior to the discovery of the Heartbleed bug.
Other Lists of Current/Past Allegedly Affected Sites
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/
http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/
https://gist.github.com/dberkholz/10169691
http://www.ragic.com/heartbleed/heartbleed/1
http://www.netskope.com/blog/heartbleed-remediation-status-for-enterprise-cloud-apps/ (enterprise cloud apps; continues to be updated as of early May 2014)
Test Pages - How to Check Whether a Site Is/Was Vulnerable
For many of the domains in the lists above (particularly those that weren't on a list of reportedly affected sites, as far as I knew), I first used the LastPass Heartbleed Checker first, and then followed up by testing with Qualys SSL Labs (or occasionally another site if I was short on time). For most of the sites that were already on someone else's list as reportedly vulnerable, I mostly just tested with SSL Labs to see if they were still vulnerable. If Qualys SSL Labs then identified a site as vulnerable to Heartbleed (which only happened a couple times), I double-checked those domains with Filippo Valsorda's Heartbleed test page for an additional confirmation.
Note that in some jurisdictions, scanning another site with one of these tools may be considered illegal. You may wish to check your local laws or consult with a lawyer before conducting any tests on a site you don't own. Remember, you can always contact the site's support and ask them whether their site has ever been affected by the Heartbleed vulnerability.
If you're testing sites on your own (especially domains not listed in this article), I recommend using LastPass Heartbleed Checker first, then Qualys SSL Labs second. To check e-mail servers (IMAP or SMTP), also use 1Password Watchtower third. If it isn't clear whether a site may have been vulnerable in the past, contact the site and ask.
https://lastpass.com/heartbleed/ (LastPass Heartbleed Checker; includes notes about past Heartbleed status of some domains; lists certificate validity dates)
https://www.ssllabs.com/ssltest/index.html (Qualys SSL Labs; comprehensive SSL/TLS tests including current Heartbleed status; lists certificate validity dates; does NOT include notes about past Heartbleed status of domains; also notifies if a site might be vulnerable to MITM attacks for other reasons)
https://filippo.io/Heartbleed/ (Filippo Valsorda's Heartbleed Test; only tests current Heartbleed status; does NOT include notes about past Heartbleed status of domains)
https://www.directpass.com/heartbleeddetector (Trend Micro Heartbleed Detector; like Filippo.io, it only tests current Heartbleed status; does NOT include notes about past Heartbleed status of domains)
https://watchtower.agilebits.com (1Password Watchtower; some status messages and recommendations on this site can be a bit confusing, but on the positive side, this service checks Secure IMAP and SMTP servers on ports 993 and 465 (not just HTTPS on port 443 like the other sites); only tests current Heartbleed status; does NOT include notes about past Heartbleed status of domains)
UPDATE, 15 May 2014: Moved Bitly to the list of passwords to change immediately (the site was recently hacked, unrelated to Heartbleed). Added link to Robert Graham's recent finding that 300,000 servers are still vulnerable.
UPDATE, 21 May 2014: Added eBay to the list of passwords to change immediately (the site was recently hacked, unrelated to Heartbleed). Added PayPal to Known Safe section. Hat tip: Graham Cluley http://grahamcluley.com/2014/05/ebay-confirms-security-breach-users-asked-change-passwords/
For more from the JoshMeister on Security, please subscribe via e-mail or RSS, and follow me on Twitter and Google+.
Monday, May 5, 2014
Heartbleed Affected More Sites Than You Realized
Labels:
aol,
apple,
google,
howto,
internet services,
microsoft,
norton,
twitter,
vulnerabilities,
yahoo
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)