[sf-lug] Heartbleed TLS/SSL bug

Michael Shiloh michaelshiloh1010 at gmail.com
Thu Apr 10 10:48:15 PDT 2014 

Thanks for starting this thread. I've been following this closely and 
have some questions:

(1)
As I understand it, change passwords now, since many sites have already 
implemented fix, but to be really safe you have to change passwords 
continuously until all sites you visit have fixed this bug.

Am I correct?

(2)
As I understand it, vulnerable sites include those that we don't have to 
log into, and that the secrets they gather might include secrets 
relating to other sites.

In other words, if I avoid visiting my bank's website, and yet my bank's 
login credentials are in RAM for some reason, and I visit some other 
random site that has been compromised, that site could read my RAM and 
thus acquire the credentials to my bank.

Am I correct?

On 04/09/2014 08:55 PM, Jeff Bragg wrote:
> Clear your browser data, too.  Non-revoked certificates can still
> potentially be used to exploit older sessions (originating from before
> upgrade).
>
>
> On Wed, Apr 9, 2014 at 8:47 PM, Jeff Bragg <jackofnotrades at gmail.com> wrote:
>
>> I forgot to mention, if you use SSL certificates, replace/reissue them
>> (key and cert both).
>>
>>
>> On Wed, Apr 9, 2014 at 8:41 PM, Jeff Bragg <jackofnotrades at gmail.com>wrote:
>>
>>> I would imagine that most members of this list are already aware of this,
>>> and have taken steps towards remediation, but in case you haven't heard of
>>> this, or haven't updated OpenSSL anywhere you have it installed, or haven't
>>> changed your passwords, this particular bug, publicly announced earlier
>>> this week, is very serious.  The long and the short of it is that the
>>> vulnerable sites may have leaked your (not to mention other users and their
>>> own) information in a way that is not detectable, and which can leave users
>>> open to man-in-the-middle attacks, retroactive decryption of data captured
>>> previously, and so forth.  Many (I hope most) major sites have remedied the
>>> problem on their servers, but seemingly few have bothered to tell their
>>> users that they *must change their passwords* in order to ensure safety
>>> going forward (except for sites that were never vulnerable, but I would not
>>> personally take their word for it).
>>>
>>> In other words, go change your passwords as soon as possible.
>>>
>>> More information:
>>>
>>> http://heartbleed.com/
>>>
>>> http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
>>>
>>> http://unix.stackexchange.com/questions/123711/how-do-i-recover-from-the-heartbleed-bug-in-openssl
>>>
>>> And some sites for testing vulnerability:
>>>
>>> http://filippo.io/Heartbleed/
>>> https://www.ssllabs.com/ssltest/
>>>
>>
>>
>
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
>

More information about the sf-lug mailing list