Heartbleed?

[zackychuu]

http://techcrunch.com/2014/04/07/ma...sl-could-effect-a-huge-chunk-of-the-internet/

Should this be a time to panic or do you think we're all safe?
Seems really fucked up to me and I'm not one to jump on the "Oh god security breach lets panic" bandwagon, but this does seem like quite a big issue.

Any Techy members care to weigh in?

 

[Glocky]

If you read until the end, you'll note that OSSL older than 2yrs is not impacted, and an emergency patch was released today for newer OSSL.
A lot of banking uses TLS (not OSSL or SSL). I've checked my sites: banking, Rogers, all on TLS 1.0 to 1.2, so I don't care too much. Even PayPal, FaceBook, Twitter are on TSL.

That's the good news. The bad news, there's no way of knowing if the exploit was used or where.
Check if your sites have been updated, then update all your passwords. Cross your fingers and hope.

 

[Steve]

All my bank passwords are 123456qwerty. No fucks to give.

Then again, no money to be taken.
Or credit.

 

[OG buckshot jr]

Fuck, I came late to the party. As glocky already stated, this affects SSL, which is open source. Most major institutions/companies will pay for TLS, which as we know it, isn't broken. Those who want your data already have it, the only difference this time around is things like the Canadian Revenue Agency and a few other important ones had a breach, which is quite significant. But that's the IT game, cat and mouse all day every day...

 

[Cock]

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/


Here's an actual list of sites affected.

 

[zackychuu]

Helpful list, Cock
Seems I would only have to change Facebook, Instagram, Tumblr, Google (although they said you may not need too) and Minecraft.
None of which are particularly important but I should get round to that either way.

 

[Brades]

SSL, which is open source. Most major institutions/companies will pay for TLS, which as we know it, isn't broken.

This is wrong... the issue is OpenSSL which is an open source toolkit that implements SSL/TLS.

 

[OG buckshot jr]

This is wrong... the issue is OpenSSL which is an open source toolkit that implements SSL/TLS.

Ohh, it's the toolkit they got into. So it's worse than I'd anticipated

Thanks for the correction!

 

[MetalLobster]

The bug is poor implementation of the TLS heartbeat extension. Read the relevant RFC...

"If a received HeartbeatResponse message does not contain the expected payload, the message MUST be discarded silently. If it does contain the expected payload, the retransmission timer MUST be stopped." - RFC 6520, Sec. 4

"If the payload_length of a received HeartbeatMessage is too large, the received HeartbeatMessage MUST be discarded silently." - RFC 6520, Sec 4.

The source code in OpenSSL didn't do this. It just checked the payload if it's not zero and memcpy the request. Also, the code only checked if the request surpassed 64K. It did not do any kind of comparison AFAIK.

 

[Siege918]

Might be easy to overlook, but don't forget that you should change any passwords anywhere that uses the same password as a social network. I started using a password manager after this, just so I'll always have a list of every password I need to change and ensure that I don't have duplicates. LastPass seems to work pretty well.