[sf-lug] Heartbleed TLS/SSL bug

Jeff Bragg jackofnotrades at gmail.com
Thu Apr 10 11:32:09 PDT 2014


1.  As I understand it, you should only need to update your password once
per site, as long as you update it *after* they've patched their OpenSSL
installation.  Using the check tools I included links for should help
determine, for the most part, who has and hasn't upgraded (though I've
found some sites don't respond properly to the first one, like ebay and
linkedin).

2.  I believe it's only the server's RAM which is at risk.  The leak
happens during heartbeat checks (assuming it wasn't compiled with that
option turned off).  I *think* this only applies to the server end of the
transaction; as far as I know (and perhaps Rick can weigh in on this), RAM
on your localhost (assuming you aren't running a web server and using a
compromised version of OpenSSL) is not vulnerable due to this bug.  Thus,
in theory, your risk should be relatively low (though not guaranteed to be
non-existent) for sites you haven't visited recently.  But don't take that
to mean that you shouldn't aggressively update your passwords to be on the
safe side (but again, *after* you know the site has upgraded).


On Thu, Apr 10, 2014 at 10:48 AM, Michael Shiloh <
michaelshiloh1010 at gmail.com> wrote:

> Thanks for starting this thread. I've been following this closely and have
> some questions:
>
> (1)
> As I understand it, change passwords now, since many sites have already
> implemented fix, but to be really safe you have to change passwords
> continuously until all sites you visit have fixed this bug.
>
> Am I correct?
>
> (2)
> As I understand it, vulnerable sites include those that we don't have to
> log into, and that the secrets they gather might include secrets relating
> to other sites.
>
> In other words, if I avoid visiting my bank's website, and yet my bank's
> login credentials are in RAM for some reason, and I visit some other random
> site that has been compromised, that site could read my RAM and thus
> acquire the credentials to my bank.
>
> Am I correct?
>
>
> On 04/09/2014 08:55 PM, Jeff Bragg wrote:
>
>> Clear your browser data, too.  Non-revoked certificates can still
>> potentially be used to exploit older sessions (originating from before
>> upgrade).
>>
>>
>> On Wed, Apr 9, 2014 at 8:47 PM, Jeff Bragg <jackofnotrades at gmail.com>
>> wrote:
>>
>>  I forgot to mention, if you use SSL certificates, replace/reissue them
>>> (key and cert both).
>>>
>>>
>>> On Wed, Apr 9, 2014 at 8:41 PM, Jeff Bragg <jackofnotrades at gmail.com>
>>> wrote:
>>>
>>>  I would imagine that most members of this list are already aware of
>>>> this,
>>>> and have taken steps towards remediation, but in case you haven't heard
>>>> of
>>>> this, or haven't updated OpenSSL anywhere you have it installed, or
>>>> haven't
>>>> changed your passwords, this particular bug, publicly announced earlier
>>>> this week, is very serious.  The long and the short of it is that the
>>>> vulnerable sites may have leaked your (not to mention other users and
>>>> their
>>>> own) information in a way that is not detectable, and which can leave
>>>> users
>>>> open to man-in-the-middle attacks, retroactive decryption of data
>>>> captured
>>>> previously, and so forth.  Many (I hope most) major sites have remedied
>>>> the
>>>> problem on their servers, but seemingly few have bothered to tell their
>>>> users that they *must change their passwords* in order to ensure safety
>>>>
>>>> going forward (except for sites that were never vulnerable, but I would
>>>> not
>>>> personally take their word for it).
>>>>
>>>> In other words, go change your passwords as soon as possible.
>>>>
>>>> More information:
>>>>
>>>> http://heartbleed.com/
>>>>
>>>> http://security.stackexchange.com/questions/55075/does-
>>>> heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
>>>>
>>>> http://unix.stackexchange.com/questions/123711/how-do-i-
>>>> recover-from-the-heartbleed-bug-in-openssl
>>>>
>>>> And some sites for testing vulnerability:
>>>>
>>>> http://filippo.io/Heartbleed/
>>>> https://www.ssllabs.com/ssltest/
>>>>
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/
>>
>>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20140410/eb10ed0c/attachment.html>


More information about the sf-lug mailing list