What to expect from services following Heartbleed

Any web service you use that uses HTTPS could have been vulnerable to the OpenSSL Heartbleed vulnerability. It’s been a couple of days now since the vulnerability was made public, so I think it’s reasonable to expect any service to have issued some kind of statement.

There are two acceptable formats:


Simply updating OpenSSL is not enough, since (as appears to be the case) the vulnerability does allow attackers to extract private keys.

The number of websites that have done this is depressingly small. You should be especially concerned if no such statement has been made and the certificate in use was not issued in the last couple of days.

GitHub has issued a model example. That’s the level of detail we should expect.