Ummm ... Are generic modem-routers affected too? Because, that's what I use to connect the whole home network with!

It's mostly enterprise routers it seems. Juniper and Cisco have lists

The Heartbleed bug is affecting routers, too

Heartbleed bug affects gadgets everywhere - Apr. 11, 2014

Linksys posted a bulletin on their website stating: ” We are aware of the Heartbleed OpenSSL vulnerability, however after thorough testing of our product lines, we can confirm that our routers are not impacted. Linksys routers do use OpenSSL, however our product line uses another version that is not impacted by this vulnerability.”

Heartbleed Bug Is Also Affecting Routers

A Guy

What about us normal residential users? Does it say its affecting those types of routers as well?

As I posted above, those 3 manuf. are only ones listing so far. Most of those are enterprise. Doesn't mean our home devices are secure. A Guy

The vulnerable version of OpenSSL was released about two years ego. Provided your router's firmware is older than two years and had not been updated, your router is not vulnerable to this bug. Regardless what the manufacturer/OEM might be...

Activating stealth mode for the router's external interface, a.k.a. block any request initiated from the outside to this interface, would be one of the mitigating measures that you can take if the router is vulnerable to this bug. At least until the updated firmware is available.

I have just received this email from Norton.

Norton said:

You’ve likely heard of Heartbleed over the past week. We wanted to share a bit about what it is, steps we have taken to protect our customers and steps you can take to protect yourself across the Web.

Some versions of Norton AntiVirus, Norton Internet Security and Norton 360 were impacted. On April 10th, we distributed updates to these impacted products to stop and block Heartbleed. Norton Accounts used to sign into Norton.com were not impacted. Please refer to our FAQ for more information on how we’re defending against this vulnerability.

Why Heartbleed affects everyone on the Internet

Heartbleed is a bug in some versions of OpenSSL, a set of software tools used widely across the Web for security. This bug may reveal your name, passwords and other private information.

If you visited a website that uses a vulnerable version of OpenSSL during the last two years, your personal information may be compromised. You can use this tool: http://safeweb.norton.com/heartbleed to check if a particular website is currently impacted.

How to protect yourself

Due of the complex nature of this vulnerability, changing your passwords before sites update their version of OpenSSL won’t fully protect you. Here are some simple steps you can take as a precaution:


•Change your passwords on any website that contains sensitive information about you. You should first confirm that the site does not contain the Heartbleed vulnerability by using this tool. •If you’ve reused passwords on multiple sites, it’s especially important to change them. To change your Norton Account password, visit manage.norton.com and click Account Information. •Beware of phishing emails and type website addresses directly in your browser instead of clicking on a link through an email. •Monitor your bank and credit card accounts for unusual activity.
It may take an extended period of time for all the sites affected by Heartbleed to fix this vulnerability. To determine if a website is vulnerable to Heartbleed using this tool. We recommend you only exchange personal or sensitive information such as your credit card number if the site is not affected by Heartbleed.

You can learn more about Heartbleed and its impact to consumers by checking out our FAQ or by following the Norton Protection Blog.

Stay Safe Online

Norton

Britton30 said:

I have just received this email from Norton.

I got the same eMail, was going to post it, as you did... about the same time you did, but after some research, I decided just to delete the msg.

If you roll over the links in the eMail, they all point to response.nortonfromsymantec.com - this concerned me. The other fishy thing was the domain checking (bad) in the msg header.

It took about an hour to fins that nortonfromsymantec.com is a URL Norton uses to market their product.
Norton support: Is this email that I received from Norton legitimate?

Lots of the same questions over on the norton boards : E-mail from Norton about Heartbleed legitimate? - Norton Community

Bugged the hell out of me since I can't recall the last time I used Norton or gave them my eMail address.

Now the logical thing to do would be to unsubscribe from Norton Marketing.... tried one time, but it requires a login - beats me what I used way back when. There are other means to unsubscribe (postMail, POTS, eMail, online contact).....the privacy policy is very looooong
Privacy | Symantec

---

Anyway, thanks for posting this, I'm still not 100% certain that it is legit.

Best practice - trash anything that smells funny and then take out the trash.

Bill
.

It's all legit.

heartbleed.com said:

The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
more...

openSSL.org said:

OpenSSL Security Advisory [07 Apr 2014]
========================================

TLS heartbeat read overrun (CVE-2014-0160)
==========================================

A missing bounds check in the handling of the TLS heartbeat extension can be
used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including
1.0.1f and 1.0.2-beta1.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley of chromium.org and Bodo Moeller of acm.org> for
preparing the fix.

Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately
upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.

1.0.2 will be fixed in 1.0.2-beta2.

https://www.openssl.org/news/secadv_20140407.txt

---

You can check your home router using the Win7 Telnet client

Directions compliments of Austek (modified to fit your screen)

How to check the OpenSSL version.

1: Enable the telnet in firmware of your router

2: Enable the Telnet client in Win7
*Telnet is disabled by default in Win7. See: Windows 7: Enabling Telnet Client - TechNet Articles

3: Telnet into router
Elevated command Prompt
Telnet
open 192.168.1.1 (or your router address)
answer the login prompts
Enter the command
openssl version -a

4: close
the connection

5: quit
Telent

6: exit
Command Prompt

..........

The router I have returned an error on the openssl version -a command - a not found error I suppose.

More information from Asustek:
The vulnerable OpenSSL libraries are 1.0.1 through 1.0.1 f.

(1) Before last week, Asustek firmware used OpenSSL 1.0.0 b, in two-three weeks the firmware OpenSSL library will upgrade to 1.0.1 g (the g rls is the patched version)

(2) ASUS router use OpenSSL for HTTPS login and smart sync with asuswebsotage

(3) Refer to the Heartbleed Bug, and https://www.openssl.org/news/secadv_20140407.txt
(which is where I found the above info)

1.0.0 branch is NOT vulnerable

(Note: Emphasis and parenthetical notes are mine.)

---

There's not a whole lot we mere mortals can do about heartbleed.

When the servers and other affected equipment get updated or replaced - change your passwords, BUT don't use the same password everywhere.

Bill
.