Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Draxis]

Recently they found a bug in OpenSSL - supposedly used by 2/3 of all encrypted Web servers - which let people basically read huge chunks memory of from server and look through it at will, without leaving records except maybe in router logs.  Conveniently, encryption keys are one of the easiest things to pull out.  This means that, essentially, no exchanges made over HTTPS for the last two years can be considered secure, and from yesterday when this blew up until this exploit is globally fixed, all should be presumed broken.

More information Here.
This site has been set up to test remote servers for the exploit, ostentiably to let people test their own but in any case it is useful for seeing which sites are safe to use.

Linux users and any server operators who happen to be reading this should update their OpenSSL to 1.01g right now.
At this point, most servers have been patched, but you should assume that any and all passwords used on any HTTPS site, or reused from one, are compromised and change them once that site is secure.
Any site whose SSL Key was signed before April 7, 2014 should be considered vulnerable to MITM attacks.

[Tack]

Well fuck.

[i2amroy]

Seems like most of the big companies out there are ok though, the checker tool says that steam, amazon, google, github, and paypal all come out clean.

[Remuthra]

Half tempted to say this is a joke.

[Draxis]

I doubt it - groups like Cisco and TOR were the ones who publicised it, and also I can confirm that over on the Ars Technica thread somebody went and started logging in as people, and editing their passwords into their posts.

[i2amroy]

A little deeper digging shows that the problem isn't quite as widespread as it seems. While Apache and nginx do hold over 66% of the actual number of servers affected seems to be around 17.5% of SSL webservers, some ~.5 million servers.

[da_nang]

[scriver]

And now please explain for the computer unknowledgeable.

[Draxis]

Basically, it lets people randomly pull large chunks of memory out of any server using a certain version of a common encryption program.  These chunks could contain nothing useful, but commonly contained things like passwords, bank account numbers, or (arguably worst of all) the encryption keys used to verify that a server is the one it says it is.  This means that people could go in and take the information on, not only users and their accounts, but how to impersonate a server and take all the information being passed around "securely" until everybody gets new keys, which takes time and money.  And, it's been active for the last two years or so.

[smjjames]

Wow, that's one huge bug to go undiscovered for so long. Why do they call it the heartbleed exploit though?

[Draxis]

Because the problem is in a module called the "TLS Heartbeat".

[Muz]

Wow, didn't notice this. I guess I really should be changing all my passwords. But I can't really be bothered to remember entirely new passwords and it's not like I have enough bank account money or personal information worth stealing. Such a hard decision.

[fricy]

Please correct me if I'm wrong, but as I understand there's no reason to change passwords (beyond mere paranoia) until the server you use upgrades it's software to patch the hearthbleed. In fact if you log into a vulnerable server you expose your login data to a potential ongoing attack, but of course if an attacker gets admin credentials/server keys/whatever your data is theirs either way...
Major servers are already patched, but smaller ones will take time to fix, so we are basically fscked until further notice.

[Draxis]

True.  But, big sites will have been the ones hit first when this came to surface, so the passwords for already-patched ones should probably be changed now anyway to ensure that there isn't a chance of someone stealing your account.

Of course, there's always the chance of someone with the server's SSL pad impersonating that server.  So, maybe don't log on to anything whose SSL certificate was signed before the 7th?  I don't really know how much of a threat that is, but it is certainly a possibility.

[Muz]

Ok fine. I caved and finally changed my B12 password. For the last 8 years it was "password".