Member log in

Heartbleed - the sites that are safe

UPDATE: Google, Yahoo and Facebook say they've patched their systems against Heartbleed, a newly-discovered vulnerability that allows hackers to steal sensitive data.

LinkedIn says it has never used the OpenSSL encryption technology that has been compromised by Heartbleed.

See a wider roundup of who's patched, or not, here.

As always, it's a good policy to often change your password for a site or service, and to not use the same password for multiple sites.

EARLIER: InternetNZ and the New Zealand Internet Task Force (NZITF) is warning website owners that their site’s security may have been breached and private information, including logons and passwords, may have been stolen after the "HeartBleed" vulnerability was identified in the last 24 hours.

Robin Dickie, general manager of web hosting firm Web Drive tells NBR that HeartBleed is not a case of media hype; it's a "very serious threat". 

Some US media reports say Yahoo's servers have been compromised - meaning users of Telecom's YahooXtra email service might have to again change their passwords. However, Yahoo is far from alone. It's estimated that two-thirds of the world's web servers are affected by the HeartBleed vulnerability, which allows a malicious code into a server's working memory to gain access to encryption keys, which can then be used to steal sensitive information.

InternetNZ CEO Jordan Carter said website owners are advised to check their sites and patch them where required. Individual users should change their passwords as a matter of course.

“Website owners shouldn’t panic, but quick action is required by those using vulnerable versions of OpenSSL,” said Mr Carter.

The vulnerability in OpenSSL software, commonly used to secure web sites, is easy to exploit and virtually impossible to detect when it has been exploited.  Any web site using a vulnerable version of OpenSSL may have been attacked by criminals stealing data or eavesdropping on communications to and from the site.   Now that this vulnerability is widely known the likelihood of criminals using this exploit are significantly higher.

To fix the vulnerability, website hosts are advised to follow the below list in the order provided:

  • Establish if your site’s servers are vulnerable. This can be done by visiting
  • Patch the vulnerable servers.
  • Revoke/reissue certificates. This is an extremely important step as the servers may have been compromised for some time, without detection.

Patching alone will reduce the risk of future data compromises, however it cannot protect data that has already been captured. As usual, individuals should have separate passwords for different log-ins, and InternetNZ and the NZITF recommend changing those passwords regularly.

What should consumers do?
Security company Symantec says people should be aware their data could have been seen by a third-party if they used a vulnerable service provider

You should monitor any notices from the vendors you use, Symantec says. Once a vulnerable vendor has communicated to customers that they should change their passwords, users should do so.

The company also cautions you should  avoid potential "phishing" emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain. That is, visit the website of a service provider such as a bank to change your email; don't click on a link in an email to get to the site.

Comments and questions

Re the comment " As usual, individuals should have separate passwords for different log-ins, and InternetNZ and the NZITF recommend changing those passwords regularly." It is very good advice.

The government is currently pushing RealMe - a single logon to multiple government departments and the banks are apprently going to offer access via RealMe too. So a single compromise of the RealMe system can possibly be used to steal your identity and clean out your bank accounts. Why risk using RealMe? You should avoid it like the plague.

Hi Andre,

I'm not a RealMe spokesman of course, but the service does require a two-stop process to setup - including a real-world trip to a Post Office or bank or other participating organisation to verify your ID.

And the government site promoting  the service says, "To protect your security, every time you use your verified RealMe account, a code is sent to your mobile phone, which you’ll need to login with."


Thanks Chris

An SMS warning is certainly helpful. I guess I'm just paranoid. I would prefer a user token where you generate a code in a "keyfob-type" device in response to a numerical challenge. If the system was hacked, it is potentially possible to turn off SMS generation. Two-factor authentication will be more difficult to hack.

Nothing is absolutely safe against attack. Accordingly I prefer not to put all my eggs in one basket.

Actually, there are more than one type of realme login, verified and non-verified and first and second factor. Not all services require verified realme logins and not all services require second factor such as SMS.