Heartbleed: Serious OpenSSL zero day vulnerability revealed

By Dan Goodin:

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style | Ars Technica

 

'Heartbleed' bug in OpenSSL puts encrypted communications at risk

http://www.cso.com.au/article/542364/_heartbleed_bug_openssl_puts_encrypted_communications_risk/

 

Thank you very much for looking after us all so well LWM!

 

Internet users advised to change all passwords after security flaw found
NEW YORK — Passwords, credit cards and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic.

Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It’s not known, though, whether anyone has actually used it to conduct an attack.

Researchers are advising people to change all of their passwords.

The flaw was discovered independently in recent days by researchers at Google Inc. and the Finnish security firm Codenomicon.
http://www.dallasnews.com/business/...e-all-passwords-after-security-flaw-found.ece

 

I don't agree with the password advice in post #30. The advice in post #15 is better, IMHO.

 

What the "Heartbleed" Security Bug Means For You

 

While it's great to see these remediation efforts, none of them address one of the key issues:

That's why this issue is so serious, I think. Standard advice is to "nuke from orbit" and reinstall from the last update that's known to be clean. But this bug has been around for quite a while, so that may be problematic.

 

Yahoo seems to be safe again. They have new SSL certificates hopefully they already had patched OpenSSL

 

SSL server test may take a few retries, very high traffic at the moment:

"FYI, SSL Labs is running at the edge of capacity, at 10x the normal load. Apologies if you experience any issues."​

 

E-filing of Canadian taxes shut down because of Heartbleed bug

http://www.reuters.com/article/2014/04/09/us-canada-tax-bug-idUSBREA3817D20140409

 

Heartbleed by Bruce Schneier at: https://www.schneier.com/blog/archives/2014/04/heartbleed.html

-- Tom

 

Quote from Bruce Schneier from link in post #38:

 

Comic interlude: http://xkcd.com/1353/

 

InfoSec Handlers Diary Blog (Heartbleed)
https://isc.sans.edu/diary/Heartbleed vendor notifications/17929

 

I get different results from these 2 Tests ?

https://autistici.org got an F on https://www.ssllabs.com/ssltest/index.html but "No, your server is not affected by this bug." on http://submeet.net/tools/heartbleed.php

 

Wilder's uses a self signed certificate, which I appreciate. Those exam sites will score an F as soon as they see the cert isn't authorized by a known authority. Hell, I don't trust the CA's, but I do trust Wilder's. My two cents.

 

@ Palancar

Hi, yes i guess it's the fact that autistici is self signed. Interesting that Submeet "appears" to know it's OK though ?

 

https://github.com/musalbas/heartbl...ults-of-top-1000-websites-on-april-8-1600-utc

 

According to SSL Labs, yahoo.com is fixed. At least login.yahoo.com shows up okay.

 

I find it interesting that HideMyAss dot com is vulnerable ( according to that survey). I didn't check it personally.

 

PoC for OpenSSL CLIENT attacks out:
https://github.com/Lekensteyn/pacemaker

Yes, that was reported here earlier, including new certificate. Keep in mind that patching is not enough to fix, they need to revoke and supply new certificates as well. Only then changing your passwords will help.

 

Chromebleed---a Chrome extension to detect the Heart bleed menace:
http://www.slashgear.com/heartbleed-test-extension-keeps-hacker-bug-at-bay-09324466/

 

What a mess. How does one determine if a web site was even vulnerable to begin with as they are probably patching it now. Some sites were never vulnerable so those will not have certificate changes. Then there are sites that were vulnerable , patched, but have not changed their certificates yet. I don't know what's what.

By the way, how does one tell if a member is online or not, I must be color blind.