[sf-lug] Heartbleed TLS/SSL bug

Larry Cafiero larry.cafiero at gmail.com
Thu Apr 10 11:47:47 PDT 2014 

Just a heads up: C|Net just put this out regarding which sites have
been upgraded, which weren't affected, etc.

http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Larry Cafiero

On Thu, Apr 10, 2014 at 11:32 AM, Jeff Bragg <jackofnotrades at gmail.com> wrote:
> 1.  As I understand it, you should only need to update your password once
> per site, as long as you update it *after* they've patched their OpenSSL
> installation.  Using the check tools I included links for should help
> determine, for the most part, who has and hasn't upgraded (though I've found
> some sites don't respond properly to the first one, like ebay and linkedin).
>
> 2.  I believe it's only the server's RAM which is at risk.  The leak happens
> during heartbeat checks (assuming it wasn't compiled with that option turned
> off).  I *think* this only applies to the server end of the transaction; as
> far as I know (and perhaps Rick can weigh in on this), RAM on your localhost
> (assuming you aren't running a web server and using a compromised version of
> OpenSSL) is not vulnerable due to this bug.  Thus, in theory, your risk
> should be relatively low (though not guaranteed to be non-existent) for
> sites you haven't visited recently.  But don't take that to mean that you
> shouldn't aggressively update your passwords to be on the safe side (but
> again, *after* you know the site has upgraded).
>
>
> On Thu, Apr 10, 2014 at 10:48 AM, Michael Shiloh
> <michaelshiloh1010 at gmail.com> wrote:
>>
>> Thanks for starting this thread. I've been following this closely and have
>> some questions:
>>
>> (1)
>> As I understand it, change passwords now, since many sites have already
>> implemented fix, but to be really safe you have to change passwords
>> continuously until all sites you visit have fixed this bug.
>>
>> Am I correct?
>>
>> (2)
>> As I understand it, vulnerable sites include those that we don't have to
>> log into, and that the secrets they gather might include secrets relating to
>> other sites.
>>
>> In other words, if I avoid visiting my bank's website, and yet my bank's
>> login credentials are in RAM for some reason, and I visit some other random
>> site that has been compromised, that site could read my RAM and thus acquire
>> the credentials to my bank.
>>
>> Am I correct?
>>
>>
>> On 04/09/2014 08:55 PM, Jeff Bragg wrote:
>>>
>>> Clear your browser data, too.  Non-revoked certificates can still
>>> potentially be used to exploit older sessions (originating from before
>>> upgrade).
>>>
>>>
>>> On Wed, Apr 9, 2014 at 8:47 PM, Jeff Bragg <jackofnotrades at gmail.com>
>>> wrote:
>>>
>>>> I forgot to mention, if you use SSL certificates, replace/reissue them
>>>> (key and cert both).
>>>>
>>>>
>>>> On Wed, Apr 9, 2014 at 8:41 PM, Jeff Bragg
>>>> <jackofnotrades at gmail.com>wrote:
>>>>
>>>>> I would imagine that most members of this list are already aware of
>>>>> this,
>>>>> and have taken steps towards remediation, but in case you haven't heard
>>>>> of
>>>>> this, or haven't updated OpenSSL anywhere you have it installed, or
>>>>> haven't
>>>>> changed your passwords, this particular bug, publicly announced earlier
>>>>> this week, is very serious.  The long and the short of it is that the
>>>>> vulnerable sites may have leaked your (not to mention other users and
>>>>> their
>>>>> own) information in a way that is not detectable, and which can leave
>>>>> users
>>>>> open to man-in-the-middle attacks, retroactive decryption of data
>>>>> captured
>>>>> previously, and so forth.  Many (I hope most) major sites have remedied
>>>>> the
>>>>> problem on their servers, but seemingly few have bothered to tell their
>>>>> users that they *must change their passwords* in order to ensure safety
>>>>>
>>>>> going forward (except for sites that were never vulnerable, but I would
>>>>> not
>>>>> personally take their word for it).
>>>>>
>>>>> In other words, go change your passwords as soon as possible.
>>>>>
>>>>> More information:
>>>>>
>>>>> http://heartbleed.com/
>>>>>
>>>>>
>>>>> http://security.stackexchange.com/questions/55075/does-heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
>>>>>
>>>>>
>>>>> http://unix.stackexchange.com/questions/123711/how-do-i-recover-from-the-heartbleed-bug-in-openssl
>>>>>
>>>>> And some sites for testing vulnerability:
>>>>>
>>>>> http://filippo.io/Heartbleed/
>>>>> https://www.ssllabs.com/ssltest/
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sf-lug mailing list
>>> sf-lug at linuxmafia.com
>>> http://linuxmafia.com/mailman/listinfo/sf-lug
>>> Information about SF-LUG is at http://www.sf-lug.org/
>>>
>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/
>
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/

More information about the sf-lug mailing list