test content
Logo
What is the Arc Client?
Install Arc
Should we all be worried?!
jumpingjs
Member Posts: 0 Arc User
http://heartbleed.com/
http://www.bbc.co.uk/news/technology-26954540
How bad is it? Should I / we really reset all our passwords?
http://www.bbc.co.uk/news/technology-26954540
How bad is it? Should I / we really reset all our passwords?
Hopefully I'll come back from my break; this break is fun; I play intellectual games.
I hope STO get's better ...
I hope STO get's better ...
Post edited by jumpingjs on
0
Comments
Heartbleed is, er, pretty bad. At least if you're a system administrator who doesn't get overtime. :rolleyes:
Since it works as an interesting sort of round-robin attack, it's not clear what has been exposed, but the list of things which could have been exposed on a site with that vulnerability is, well, everything that happened on that site. Including the certificate data, which means that sites which were hit now need new SSL certificates or they could be vulnerable to traffic interception and decryption even after patching heartbleed.
You should probably reset passwords on affected sites; also, you should expect to need to do it again after everyone is done patching. Thirdly, if you're one of those people who uses the same name/pw combination everywhere, now would be an exceedingly good time to remedy that error.
Resetting your password before the site in question has patched the bug only returns the current horse to the barn but does not close the door to keep him getting out again. As it were.
You should also be extra vigilant if you use online banking at all; now would be a good time to discover the free credit report request stuff.
Whatever it is, it seems pretty huge. I mean, I can't get on some pretty big websites like Youtube or Google, they also give me a certificate error thing.
*isn't techno-savy*
My character Tsin'xing
That's kind of too much of an oversimplification. What the heartbleed bug does is allows the unencrypted program memory of a system running that version of OpenSSL to be read in random chunks. Those chunks could be nothing, they could be the site certificate, they could be your username/password, they could be the raw web traffic (imagine someone looking over your shoulder at your online banking, or online health care, for example...).
It's worse than tricking the system into giving up the key. It doesn't even require a key at all. It's just riffling randomly through whatever is going on, which may include giving you the key - which would allow you to continue access even after the bug is patched.
It only affects certain versions of OpenSSL, though, so anyone not running OpenSSL (for once, Microsoft's version is more secure?) or who was lazy and didn't upgrade yet is safe.
Compromising the certificates of that many sites is, to put it mildly, a giant cluster-pancake though.
It's not a cause for panic (save that for the admins of unpatched systems) but certainly cause for increased vigilance.
If you want to worry about something, worry about how this apparently got inserted into an open source project two years ago and then sat there in plain sight until now.
Steam was vulnerable until yesterday. If you're a developer who used Steam (the most likely group to be targeted), change your password (and the passwords of any service that had the same password), and reset Steam Guard.
As for it not being a universal issue, anything running OpenSSL 1.0.1 through 1.0.1f is vulnerable.
Should you be concerned? Yes. Should you panic? Panic never helps.
Having a good towel helps.
All that can do is tell you if a site is vulnerable now. Many have been patched in the last day, and none of those testers will be able to tell you if it was exploitable before.
So... change all of your passwords.