[sf-lug] Heartbleed TLS/SSL bug

Jeff Bragg jackofnotrades at gmail.com
Wed Apr 9 20:41:55 PDT 2014


I would imagine that most members of this list are already aware of this,
and have taken steps towards remediation, but in case you haven't heard of
this, or haven't updated OpenSSL anywhere you have it installed, or haven't
changed your passwords, this particular bug, publicly announced earlier
this week, is very serious.  The long and the short of it is that the
vulnerable sites may have leaked your (not to mention other users and their
own) information in a way that is not detectable, and which can leave users
open to man-in-the-middle attacks, retroactive decryption of data captured
previously, and so forth.  Many (I hope most) major sites have remedied the
problem on their servers, but seemingly few have bothered to tell their
users that they *must change their passwords* in order to ensure safety
going forward (except for sites that were never vulnerable, but I would not
personally take their word for it).

In other words, go change your passwords as soon as possible.

More information:

http://heartbleed.com/
http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
http://unix.stackexchange.com/questions/123711/how-do-i-recover-from-the-heartbleed-bug-in-openssl

And some sites for testing vulnerability:

http://filippo.io/Heartbleed/
https://www.ssllabs.com/ssltest/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20140409/a665fbe0/attachment.html>


More information about the sf-lug mailing list