Options
Heartbleed: HUGE security bug affecting "secure" sites
Matt D
Posts: 13,153 Forum Member
✭✭
http://heartbleed.com/
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
http://www.bbc.co.uk/news/technology-26935905
http://www.huffingtonpost.co.uk/2014/04/08/heartbleed-bug-openssl_n_5109087.html?utm_hp_ref=uk
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
I'm still trying to find a definitive list of "big name" sites that were or were not affected.
Yahoo is a definite VULNERABLE... and still is. Which isn't surprising to me... Look how long it took for Yahoo to make SSL default, or even an option, compared to Google.
Apparently Google and Microsoft are fine, don't know about Apple. Whether they are fine because they did not suffer the bug, or are fine *now* because they were patched early, I don't know...
I've seen some say Twitter was OK, others not. It comes up safe now, but I don't know if that's just because it's been patched after the security advisory.
Even *if* a site has been patched, anyone who has used it is still potentially at risk as their passwords or login cookies could easily have been stolen before the patch, and it can also be spoofed if the certificate keys were stolen and haven't yet been revoked. There is no point rushing out to change passwords on affected sites until they have patched themselves *and* revoked and replaced old certificates.
Unlike the recent Apple SSL flaw, this does not require anyone to be on the same network as you and intercept your traffic: If a site has the flaw, it can easily be made to spit out information that often contains login credentials. I've seen simple scripts posted online to probe servers and grab information from them if vulnerable...
Apparently Arstechnica.com reported on the bug before patching its own server, and then people grabbed the usernames/passwords of people who had recently logged in and used their accounts to comment on the story. And I've seen many reports of people acquiring Yahoo login credentials...
http://techcrunch.com/2014/04/07/massive-security-bug-in-openssl-could-effect-a-huge-chunk-of-the-internet/
http://www.bbc.co.uk/news/technology-26935905
http://www.huffingtonpost.co.uk/2014/04/08/heartbleed-bug-openssl_n_5109087.html?utm_hp_ref=uk
http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
TechCrunch wrote:This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.
Even if you’ve never heard of OpenSSL, it’s probably a part of your life in one way or another — or, more likely, in many ways. The apps you use, the sites you visit; if they encrypt the data they send back and forth, there’s a good chance they use OpenSSL to do it. The Apache web server that powers something like 50% of the Internet’s web sites, for example, utilizes OpenSSL.
Through a bug that security researchers have dubbed “Heartbleed“, it seems that it’s possible to trick almost any system running any version of OpenSSL from the past 2 years into revealing chunks of data sitting in its system memory.
Why that’s bad: very, very sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.
And if an attacker was just gobbling up mountains of encrypted data from a server in hopes of cracking it at some point? They may very well now have the keys to decrypt it, depending on how the server they’re attacking was configured (like whether or not it’s set up to utilize Perfect Forward Secrecy.)
(snip)
I'm still trying to find a definitive list of "big name" sites that were or were not affected.
Yahoo is a definite VULNERABLE... and still is. Which isn't surprising to me... Look how long it took for Yahoo to make SSL default, or even an option, compared to Google.
Apparently Google and Microsoft are fine, don't know about Apple. Whether they are fine because they did not suffer the bug, or are fine *now* because they were patched early, I don't know...
I've seen some say Twitter was OK, others not. It comes up safe now, but I don't know if that's just because it's been patched after the security advisory.
Even *if* a site has been patched, anyone who has used it is still potentially at risk as their passwords or login cookies could easily have been stolen before the patch, and it can also be spoofed if the certificate keys were stolen and haven't yet been revoked. There is no point rushing out to change passwords on affected sites until they have patched themselves *and* revoked and replaced old certificates.
Unlike the recent Apple SSL flaw, this does not require anyone to be on the same network as you and intercept your traffic: If a site has the flaw, it can easily be made to spit out information that often contains login credentials. I've seen simple scripts posted online to probe servers and grab information from them if vulnerable...
Apparently Arstechnica.com reported on the bug before patching its own server, and then people grabbed the usernames/passwords of people who had recently logged in and used their accounts to comment on the story. And I've seen many reports of people acquiring Yahoo login credentials...
0
Comments
*Ideally*, what sites should do once they have been patched, and updated their certificates, is actually inform their users of what happened and recommend passwords be changed, if necessary.
Surely?
I mean, when a site is directly hacked or has a direct leak, they tend to make people aware of it don't they? So surely in a situation like this, where it is this big and potentially catastrophic, Yahoo, Twitter, banks, and anyone else that was vulnerable should bloody well let people know!...
If they can, yes, they should let members of their sites know what has happened.
Lets hope our security services made near 3 years of warranted use of this since it was 'introduced'..
That's an interesting point, was this flaw just an error or was it deliberately created like the RSS vulnerability.
Do they have any idea how many passwords the average IT literate person has?
If I have to change all of my passwords that will take a few hours. And there will always be those odd sites where I made a purchase and HAD to register and have never used since.
i'd really rather wait till i know the servers are fixed.
interesting technical explanation on the exploit on the reg.
http://www.theregister.co.uk/2014/04/09/heartbleed_explained/
You're not at risk from those sites. This bug affects, for example, people who have recently logged in or had their data pass through the server's RAM as it was being decrypted or encrypted (i.e. through logging in, or as it was being encrypted during the sign up process). If you registered days/weeks/months ago and haven't logged in or anything since then, then your data won't be in the server's memory now and won't be able to be extracted like this.
This isn't breaking in to servers and stealing data from their storage disks, it's extracting recently processed data from the server's memory.
I would just avoid logging in or signing up to websites for a while unless it's necessary. Change passwords if the sites tell you to and after the servers have been patched (otherwise why bother - your new password will be just as susceptible). Though I already practice this anyway (not logging in or signing up to sites unless I need to).
Strange - I checked my Bank CoOp and its not vulnerable
How would you know if it's vulerable or not? This is if the Bank didn't know anything was wrong themselves.
Yes, now is a time even new hackers could be snooping on encrypted (but compromised) communications and retrieving new passwords. It is safe to do anything only after the bug is patched at a particular site and all certificates currently in use replaced.
That's, nice, for the lack of another word. I wonder if it was exploited and if it helped that it's open source. It allows collaboration, but it can also get abused.
Well that it is open source I guess means that it could have been being exploited since someone noticed. And that it could have been put their deliberately, and been exploited since the beginning.
One of the things we know from snowden is SSL does not present a problem to the NSA or gchq. But they haven't actually cracked it.
I remember reading that IIS, at a certain version (can't remember which), had almost zero vulnerabilities listed on the security sites. This was after a period during which IIS was very poor. But I've no idea what the situation is today.
there is no list of websites too many. it's everywhere that you log in on line. not just websites. email. your twitter client.
i haven't changed all of mine. i can't face it.
As it says on top, it's very likely out of date, but there's a way to find out if anything changed
https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt
You should change passwords only after the hole was plugged and new certificates were installed. Since the 2nd may cost a lot of money some may not bother with it.
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
how ****ing typical is it that apple wont respond to say if their users are affected. what a bunch of *****.
IF they're being truthful about getting no response from Apple about it, that is disgusting. The amount they charge for their hardware, you'd think they'd want to let their customers know what's going on. You can tell a lot by a company's response to something serious.