Community Forum

Heartbleed Bug -- What is Comcast doing about it?

Xfinity Forum Archive
About the archive project

Xfinity Forum Archive...

This is an archived section of the community.

Content in this area has been identified as outdated or irrelevant.

This change was done in an effort to make the forum easier to use and to keep only the most helpful and recent content active.

Post your questions in the Xfinity Community

Expert

Re: Getting Information on Heartbleed virus

The crux of the HeartBleed bug is an attacker's ability to get the server certificate private key. Using HeartBleed to get  64k block of server memory does not necessarily mean that the private key will be exposed.

 

From a recent post by CloudFlare:

"Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible."

 

Here's a link to the full post:

http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartb...



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Regular Visitor

Re: Getting Information on Heartbleed virus

Yeah, I just worked my way through their IVR maze to "2nd Level" Security, where I was read the meaningless reassurance that "Our website is not vulnerable and you don't have to worry," by a contact center agent who doesn't understand even the most fundamental aspects of this threat.  Nobody I talked to there can confirm whether or not the SSL certificates have been changed recently, because none of them understand what an SSL certificate *is*.  In fact, several of them say that if I'm worried about it, I should *change my passwords now*(!!!)  They do not understand the issue nor the fix: their job is to read me a script designed to comfort the cluelessly ignorant and gullible, because that's what Comcast considers all its customers to be, and apparently, that's also what it hires for customer support.

 

Comcast/Xfinity/Plaxo does not possess the expertise, the integrity, or the concern for its customers to deal with this issue in any real sense.  They are totally in damage control mode, polishing their public image instead of implementing the well-understood fix for the vulnerability and then announcing that the fix is in place and tested.  Their grasp on their own security is so deficient, that the best thing you can do to protect your own email security is to replace them with a provider that is capable in an area where they clearly are not.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

I've read a lot about this and have a reasonable understanding of it...but wouldn't it be nice if Comcast made a statement to us about what we should do?....or if we need to do anything? It never ceases to amaze me how often we're left in the dark about things. Not all of us are computer "geeks". Tell us what we need to know! (or do...if anything!) Keep us INFORMED! (please!) Edit: @KotSBS I guess I should have read your post first! Well said.

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

Comcast home routers might be affected.

 

Download software updates when they become available. In a message to customers, Cisco revealed that the Heartbleed bug, a problem with the encryption of data online, may allow hackers to get access to people's passwords, usernames and other information.

Cisco has released a complete list of all vulnerable products and is working on creating free software updates to protect customers. Juniper has also published a list of vulnerable devices and is working on a solution.

Until these companies release software updates, go figure out what kind of router your home or business has and check back on that company's site every few days to see if a software update is available for download. It could take some time, so be patient.

Turn off your router's remote access. "In the case of home routers, if it's a router that you purchased yourself, almost all of them provide the capability to disable remote access," Adam Allred, a research technologist at the Georgia Tech College of Computing, told The Huffington Post. "Most routers take the home network and the Internet that they connect to and split them into two pieces. Remote access describes the ability to get to your home router from the Internet outside of your home."

Most people don't really need remote access unless they are trying to configure their router from elsewhere, Allred says. Turning it off can make it less likely for hackers to be able to come in and exploit your home router and it wont change your experience at all.

People with newer routers should download patches when they become available, and if your router was provided by your ISP (AT&T, Comcast, etc.) Allred recommends that you contact them and ask if they have any plans to patch home routers.

Only if you have an older router that you purchased yourself, patches aren't available and you need to use remote access for some reason should you consider getting a new router.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

So we should change passwords (if applicable)?

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

NOT TRUE! It's common knowledge that EVERYONE can be affected. End users are the least affected in totality. Just the opposite, it's the big boys that are most at risk and thus are independtly puting patches on their own internet servers....if their servers are infected that's one way of various, that you would become infected as a result of clicking on their site.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

craighill, please clarify?

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?


@craighill wrote:

NOT TRUE! It's common knowledge that EVERYONE can be affected. End users are the least affected in totality. Just the opposite, it's the big boys that are most at risk and thus are independtly puting patches on their own internet servers....if their servers are infected that's one way of various, that you would become infected as a result of clicking on their site.


There is no 'infection'.  We are dealing with a vulnerabilty in a piece of server software (OpenSSL) that may expose data. Please get your facts correct before crying wolf!!!



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Thanks LoPhatPhuud

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Individual sites aren't the biggest problem. Many computers that make up the infrastructure of the web use the bad SSL. I suggest you read what Juniper Networks has to say and be afraid. Be very afraid.
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Are Belkin routers susceptible?

Regular Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Your right! I called Comcast and asked a tech agent a few days ago, he said I don't know what Heartblled bug is.I told him you got to be kidding. He checked with some one else and got back to me and said, we are safe. ?????

2 of my companies investment, mailed me and said they put the patch in any way, and also told me they were not breached, but for me to change my user/password any way to be safe. That was good to here.

The news said any web site with https with the  paddle lock on it at bottom right task bar can be breached correct me if I'm wrong?

Trouble with going a trusted web sites for information on whom got breached or not will have a list say example: Amazon did not get breached, then you go to another trusted web site and they may say Amazon did not get breached. Real problem is worst of worst in the history of breaching, and they say it is just the begining.

   

Cyber turbo power desktop.Intel 4790k 4.0GHz.GPU-Gigabyte Geforce 1060 Windforce OC 6GB-Notebook dv6225us AMD Turion 64X2 2GB Go6150 GPU Vista Home Premuim
Regular Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

COMCAST get with it, or you may find people dropping there accounts, hopefully that know one get breached and has there life savings taken.

All you got to do is some reading about the Heartbleed Bug, because when I called you and spoke to your SUPPORT TECH. He had know clue what Heartbleed was about, he had to check with some one and get back with me.he did and said I'm safe, bull pucky,NOT. it was and still is in the papers, the Internet. Also all you have to do to find out for your self is go to the Life Pass Heartbleed checker, like others are doing here  in your forum and I did  and it says you are NOT SAFE!

So please do that for us because we are paying you all for a safe site from your severs.Let us Know?

I have been using Comcast for over 35 years give or take, wife and I have been very happy with your service, and support up to now until I have called you, did not like the answer, and not liking what I'm reading here on the forum at all, I'm very ticked off, and very concered, and worried,  hopfully not a heart attack.

Please may we have som positive answers. I will be looking into thison a person higher up tomorrow about this Bug of are you going to do, Fix it working on?

 

Cyber turbo power desktop.Intel 4790k 4.0GHz.GPU-Gigabyte Geforce 1060 Windforce OC 6GB-Notebook dv6225us AMD Turion 64X2 2GB Go6150 GPU Vista Home Premuim
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Do ISPs change whether or not sites are affected?

 

*edited for grammar

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?


@CordeliaAnne wrote:

Do ISPs change whether or not sites are affected?

 

*edited for grammar


I'm not sure I understand your question. Can you rephrase it please?



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Does, say, having a Comcast ISP affect if an unaffected site is insecure?

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?


@CordeliaAnne wrote:

Does, say, having a Comcast ISP affect if an unaffected site is insecure?


No. The issue is with server you are connecting to. If it's using OpenSSL (versions 1.0.1 thru 1.0.1f) then it is susceptible to the HeartBleed vulnerability.



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Interesting. Did you ever notice that SOMETIMES https://login.comcast.net/login changes to http://login.comcast.net/login ?

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

LastPass Heartbleed checker says about comcast:
Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)

https://lastpass.com/heartbleed/?h=comcast.net

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?


@CordeliaAnne wrote:

Interesting. Did you ever notice that SOMETIMES https://login.comcast.net/login changes to http://login.comcast.net/login ?


Yes, and there is no reason to worry. When you go to the Customer Support Forums main page, you are on an http:// link. When you go to sign in, you change to the https:// link. Anytime login information is requested, you should see a https:// link.

 



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Sometimes, when logging in, I see a http: link.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Was vulnerable: No (does not use OpenSSL)
SSL Certificate: Safe (regenerated 8 months ago)
Assessment: This server was not vulnerable, no need to change your password unless you have used it on any other site!
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Now it comes up with this again:

 

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Was vulnerable: Probably (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
Regular Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Yes I put the checker in Comcast.com, said breached

I see here that someone use the HB checker for our Login email, even though it said may be using a Safe version of the OpenSSL, how do we know what Version? and the login it's using the server software Apache can be effected so it said on the list, unless using a the Safe SSL version.

Now for the update from a agent that I talked today, Sheena, she was real kind and so on, she said she knows about the Bug a few days ago, because of us calling, she said she does not watch the news, anyway, every call she get from us goes the the Tech. department. but she does not no what Comcast is going to do about it, because NONE of our Comcast customers have called in about being Breached, and Comcast does not no were to get the patch, but don't hold Sheena countable, that was threw the grape vine she heard.?

I told her to save a buck $$$$$$ just put the Patch in then in long run Comcast may save some money in the long run, loosing customers, and on.

Look at GM and Toyota, they try to save a few buck, now paying Billions, and law suits.Sheena agreed with me.

She said when Comcast has any update(s) news we will be notified. How long ? who knows?

Cyber turbo power desktop.Intel 4790k 4.0GHz.GPU-Gigabyte Geforce 1060 Windforce OC 6GB-Notebook dv6225us AMD Turion 64X2 2GB Go6150 GPU Vista Home Premuim
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Also web.mail.comcast.net is NOT encrypted. Any ideas why?

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?


@CordeliaAnne wrote:

Also web.mail.comcast.net is NOT encrypted. Any ideas why?


Good question. No idea why. I end up at xfinityconnect.mail.comcast.net/connect/ but that is not a https:// connection either. All logins, including email do,  however, use a https:// connection.

 

 



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Well, a friend says that NO email clients are secure, which is why we shouldn't put sensitive info in email.

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

I hold a current CISSP (Certified Information Systems Security Professional) credential, and am no stranger to the vast arsenal of network attacks that the black hats (bad guys) have at their disposal. To reiterate what others have said, Heartbleed is not a virus, worm, trojan horse, or any of those kinds of infectious malware that nefarious types can invent and use against us.  It is a significant design flaw in an otherwise helpful and necessary part of network infrastructure. That alone makes it much more potent, since it isn't something antivirus/malware protection software can detect or guard against.

 

Here is what some of the top people in the security industry are saying about it (this article, titled "Heartbleed OpenSSL vulnerability: A slow-motion train wreck") appeared on the searchsecuity.techtarget.com security news feed.

http://searchsecurity.techtarget.com/news/2240217969/Heartbleed-OpenSSL-vulnerability-A-slow-motion-...

 

It is an informative article, and the page has several more links to related articles in the security community about this bug.

 

In the headlines this morning (yes, I still get a newspaper) was an article that stated there are some who think the lack of disclosure by some companies (like Comcast) may have to do with the NSA being reluctant to admit that they have been exploiting the Heartbleed flaw to gather information.  While I am not a conspiracy theorist, it does provide food for thought.  Naturally, the NSA denies any wrongdoing. Then again... It isn't like their hands are completely clean, after all.


 

 

 

-- Typeaux
Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?


@Typeaux wrote:

I hold a current CISSP (Certified Information Systems Security Professional) credential, and am no stranger to the vast arsenal of network attacks that the black hats (bad guys) have at their disposal. To reiterate what others have said, Heartbleed is not a virus, worm, trojan horse, or any of those kinds of infectious malware that nefarious types can invent and use against us.  It is a significant design flaw in an otherwise helpful and necessary part of network infrastructure. That alone makes it much more potent, since it isn't something antivirus/malware protection software can detect or guard against.

 

Here is what some of the top people in the security industry are saying about it (this article, titled "Heartbleed OpenSSL vulnerability: A slow-motion train wreck") appeared on the searchsecuity.techtarget.com security news feed.

http://searchsecurity.techtarget.com/news/2240217969/Heartbleed-OpenSSL-vulnerability-A-slow-motion-...

 

It is an informative article, and the page has several more links to related articles in the security community about this bug.

 

In the headlines this morning (yes, I still get a newspaper) was an article that stated there are some who think the lack of disclosure by some companies (like Comcast) may have to do with the NSA being reluctant to admit that they have been exploiting the Heartbleed flaw to gather information.  While I am not a conspiracy theorist, it does provide food for thought.  Naturally, the NSA denies any wrongdoing. Then again... It isn't like their hands are completely clean, after all.


 

 

 


Good points.

 

Related, no? http://btreport.net/2014/04/comcast-uconn-team-security-center/

 

 

New Poster

Re: Heartbleed Bug -- What is Comcast doing about it?

I am concerned about the vulnerability of the Comcast SMC D3GNV wireless modem.  I understand that our home routers may be flawed and may need updated software.

 

Cisco has a list of routers that are or are not affected. 

 

Comcast should give us a similar list on their modems.

 

 

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Extech- According to https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Flogin.comcast.net%2Flogin https://login.comcast.net/login is safe. Don't know whether or not to trust it though.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?


@Bestdad1 wrote:

Comcast should give us a similar list on their modems.

 

 


True, do you know if firewalls help?

Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?

 

People,  lets get some common sense here.

 

There is several hundred million times greater chance you'll fall in the shower & hit your head and die, than there is of any of us being personally compromised due to this.   And with that realistic possibility lurking, none of you are wearing helmets in the shower, rite?

 

The greatest danger regarding heartbleed, is that the clueless News Media blows this So Out of Proportion that it causes a partial collapse in the world economy.

 

.

 

 

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

However you can stop yourself from falling in the shower by being careful, which I assume you'd try. Which is what we're doing or trying to here.

Problem Solver

Re: Heartbleed Bug -- What is Comcast doing about it?

 

Ahhh you're prolly rite ... the people that have died in the shower must have wanted to die & didnt stop them selves from falling ... Thanks  Smiley Wink

 

.

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?


@dj280 wrote:

 

Ahhh you're prolly rite ... the people that have died in the shower must have wanted to die & didnt stop them selves from falling ... Thanks  Smiley Wink

 

.


Obviously! jk

 

Seriously though, on the web there are security measures MOST people take out of neccessity... then there's people who worry about it when they don't work. With or without Heartbleed it is possible to hack accounts.

Regular Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Yes, I agree dj280 to some point. put if Comcast web site/login is Ok free from the HB bug, then we could end this post of the Bug breach if Comcast could at least keep us up dated that Comcast is OK or not, or they will put the Patch in to be safe? like one of my Ivestment Co. did. They sent me a email saying they were not breached, but they said they put the Patch in any way, and for me to change my password anyway to be on the safe side.

Talking to Comcast Agent they know now about the bug, but they told me thay do not know what or when Comcast is going to do anything.

   Extech

Cyber turbo power desktop.Intel 4790k 4.0GHz.GPU-Gigabyte Geforce 1060 Windforce OC 6GB-Notebook dv6225us AMD Turion 64X2 2GB Go6150 GPU Vista Home Premuim
Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

@Cordelia -- The article you provided (and thank you for that) refers to efforts to bolster malware protection.  Again, the Heartbleed bug is NOT malware, it is a flaw in a recent version of OpenSSL (not ALL versions) that exposes what should be private, encrypted data. The company I currently work for, along with many others, uses a well-known cloud service that was known to use the flawed version of OpenSSL.  It was the cloud service provider's responsibility to apply the fixed version of OpenSSL.  However, on this end, best security practices also dictated that dozens (if not hundreds) of SSL certificates had to be swapped out. Not a trivial project (nor free).

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

which article? I posted several I think

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Sorry. You posted this one in response to my previous post:
http://btreport.net/2014/04/comcast-uconn-team-security-center/

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Oh OK. Thanks I was wondering

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

GUESS WHAT? AFTER AN HOUR ON THE PHONE AND IN CHAT YES THEY DO RUN OPEN SSL AND HAVE NOT YET FIXED ANYTHING!

Expert

Re: Heartbleed Bug -- What is Comcast doing about it?

CCCookie...

 

Running OpenSSL, in itself, does not make the system vulnerable to HeartBleed. It depends on the version they are using. Affected versions are 1.0.1 thru 1.0.1f, inclusive.

 

The latest info I got from the LastPass HeartBleed checker follows. Note that comcast.com reports as safe.

 

Site: www.comcast.net
Server software: Apache-Coyote/1.1
Was vulnerable: Possibly (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT) Additional checks SSL certificate yielded current certificate first seen (5 months ago) -- has not been reissued.
Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.

 



I am not a Comcast Employee.
I am a Customer Expert volunteering my time to help other customers here in the Forums.
We ask that you post publicly so people with similar questions may benefit from the conversation.
Was your question answered? Mark the post as Best Answer!
Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?


@CCCookie wrote:

GUESS WHAT? AFTER AN HOUR ON THE PHONE AND IN CHAT YES THEY DO RUN OPEN SSL AND HAVE NOT YET FIXED ANYTHING!


@CCCookie:  Did they happen to mention which VERSION of OpenSSL they're running? 

 

From the heartbleed.com site:

 

What versions of the OpenSSL are affected?

Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

Ok, I'll go through this one more time. I just spent over an hour in Chat and finally talking to their software engineers on the phone. I was 'told' by one engineer (Joe) that they are running "open SSL 1.0.1". That they have not yet fixed any vulnerabilites. But are working on it! Also, it does no good to change one's password if when you log on the bad guys just steal the new one.

 

He said to me: "We have no evidence of any problems." Me: How would you as any access as a result of Heart Bleed leaves no traceable breach evidence. Right? Him: (little chuckle) "You are correct."

 

At one point he put me on hold and checked with the engineering department at Comcast and came back on the phone. Ans., "We are working on it."

 

It is incumbent on 'them' not me to fix the vulnerability. It is their encryption software that is vulnerable. Running the best anti virus programs out there and malware programs dosen't do any good. Not a 'smidgen'.

 

I won't even get into the 'chat' conversations with people in The Phiilpines who I could barely undertsand and didn't even know what I was talking about! --- To them it was, Heart Bleed what? Huh?

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?


@CCCookie wrote:

Ok, I'll go through this one more time. I just spent over an hour in Chat and finally talking to their software engineers on the phone. I was 'told' by one engineer (Joe) that they are running "open SSL 1.0.1". That they have not yet fixed any vulnerabilites. But are working on it! Also, it does no good to change one's password if when you log on the bad guys just steal the new one.

 


OK, thank you.

Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?

OK. More information. The web site you reference now does say that (a) they were vulnerable, but (b) have now fixed/patche the vulnerability. Would have been nice for Comcast themselves to have made some kind of statement. - See below.

 

LastPass Heartbleed checker     

 
Site: xfinity.comcast.net
Server software: Apache-Coyote/1.1
Was vulnerable: Possibly (known use OpenSSL, but might be using a safe version)
SSL Certificate: Now Safe (created 19 hours ago at Apr 14 03:39:03 2014 GMT)
Assessment:

Change your password on this site if your last password change was more than 19 hours ago

 

Valued Contributor

Re: Heartbleed Bug -- What is Comcast doing about it?

Except...

 

Site: login.comcast.net
Server software: Apache
Was vulnerable: Possibly (known use OpenSSL, but might be using a safe version)
SSL Certificate: Possibly Unsafe (created 1 year ago at Mar 20 00:00:00 2013 GMT) Additional checks SSL certificate history yielded no new information
Assessment: It's not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
Frequent Visitor

Re: Heartbleed Bug -- What is Comcast doing about it?


@CCCookie wrote:

Ok, I'll go through this one more time. ... they are running "open SSL 1.0.1".

 _______________________________________________________________________

 

The version number was missing from the first time you went through it, apparently.  But thank you for that critical bit of information.  It only took Comcast six days to fess up (they actually denied using it at first).  Other, very large, networks managed to patch and swap certs in a matter of hours. I would think that Comcast must have the resources available, so perhaps what they lack is resolve?

 

It's up to Comcast customers to change passwords on the services they use most often (Netflix, Amazon, eBay, banking, government sites, etc.), most of which have already been patched days ago.