OpenSSL bug, 'Heartbleed'
09 April 2014, 11:11 PM
#1
OpenSSL bug, 'Heartbleed'
info on the bug found here http://heartbleed.com/
it'll be all over the news for ages I predict
it'll be all over the news for ages I predict
on Twitter, @snipeyhead, has done an excellent job of explaining the situation in plain English. Please, please read this, and if you have questions, ask me:
'There is a security vulnerability that was recently discovered, colloquially called "Heartbleed". While you may or may not work with computers, you're going to get lots of emails over the next week or two, from service providers you use (Facebook, Twilio, blogs you have a login to, etc), telling you that they've patched the vulnerability. Every email I've gotten so far specifically says "we have no evidence to suggest that user accounts were compromised."
This is 100% patently a line of grade-A bull****. The very nature of the vulnerability in Heartbleed means it *cannot* be detected. While what they're saying isn't exactly a lie - they do not, in fact, have evidence that user accounts were compromised - it's egregiously misleading and incredibly unethical to make this statement and passively suggest that user's might not have been affected. No one knows who has been affected, but to say there is no evidence misleads users into thinking there *would* be evidence if they were affected.
As @nicklockwood on twitter said, "we found a bug that allows our servers to be hacked without leaving evidence, but there is no evidence that this has happened."
Changing your passwords is important, but only do so once your service providers have stated that they've fixed it, otherwise your new password is just as vulnerable as your previous one.
You can use http://filippo.io/Heartbleed/ to check, but you don't know the inner workings of their application, so it's still no guarantee. They may use URLs and systems within their infrastructure that are hidden from you, so you can't test them.
Once they tell you it's patched, change your password. If they haven't said anything, ASK THEM. If they don't answer you and don't have a formal statement, DITCH THEM. This is very serious, and you need to at least know that they have a game plan, if they haven't already fixed it.
Without getting too technical, this is different than security issues we've seen (like with Target). This issue doesn't affect data at rest (stored in a database), but rather data stored in memory over SSL.
If you shop online, do not do business with companies that have not confirmed that they have patched this bug, until they say they have.
But most of all, do not believe their PR bull****. Bugs happen. It sucks, but it's part of software. I find it offensive and unethical that rather than just addressing the issue, they would suggest that users have nothing to worry about because it makes them look better.http://tl.gd/n_1s1b295 '
'There is a security vulnerability that was recently discovered, colloquially called "Heartbleed". While you may or may not work with computers, you're going to get lots of emails over the next week or two, from service providers you use (Facebook, Twilio, blogs you have a login to, etc), telling you that they've patched the vulnerability. Every email I've gotten so far specifically says "we have no evidence to suggest that user accounts were compromised."
This is 100% patently a line of grade-A bull****. The very nature of the vulnerability in Heartbleed means it *cannot* be detected. While what they're saying isn't exactly a lie - they do not, in fact, have evidence that user accounts were compromised - it's egregiously misleading and incredibly unethical to make this statement and passively suggest that user's might not have been affected. No one knows who has been affected, but to say there is no evidence misleads users into thinking there *would* be evidence if they were affected.
As @nicklockwood on twitter said, "we found a bug that allows our servers to be hacked without leaving evidence, but there is no evidence that this has happened."
Changing your passwords is important, but only do so once your service providers have stated that they've fixed it, otherwise your new password is just as vulnerable as your previous one.
You can use http://filippo.io/Heartbleed/ to check, but you don't know the inner workings of their application, so it's still no guarantee. They may use URLs and systems within their infrastructure that are hidden from you, so you can't test them.
Once they tell you it's patched, change your password. If they haven't said anything, ASK THEM. If they don't answer you and don't have a formal statement, DITCH THEM. This is very serious, and you need to at least know that they have a game plan, if they haven't already fixed it.
Without getting too technical, this is different than security issues we've seen (like with Target). This issue doesn't affect data at rest (stored in a database), but rather data stored in memory over SSL.
If you shop online, do not do business with companies that have not confirmed that they have patched this bug, until they say they have.
But most of all, do not believe their PR bull****. Bugs happen. It sucks, but it's part of software. I find it offensive and unethical that rather than just addressing the issue, they would suggest that users have nothing to worry about because it makes them look better.http://tl.gd/n_1s1b295 '
10 April 2014, 01:23 PM
#2
Scooby Senior
Join Date: Dec 2000
Location: North Wales
Posts: 5,826
Likes: 0
Received 0 Likes
on
0 Posts
Esitmated 17% of SSL sites affected, which whlist not insubstantial, is not what the usual hype would have you believe.
An organisation that says it has not been compromised isn't necessarily lying, if they are not using OpenSSL, then they are not affected, so the message that they are lying is a it disengenuous, to be honest.
!!
Thread
Thread Starter
Forum
Replies
Last Post
hedgecutter
General Technical
3
25 September 2015 02:35 PM