[sf-lug] Heartbleed TLS/SSL bug and also password managers

Michael Shiloh michaelshiloh1010 at gmail.com
Thu Apr 10 11:55:01 PDT 2014 

very helpful. thanks. now i understand why they call it heartbleed.

yes, rick, i'd love to hear your point of view.

speaking of password updates leads to thinking about password managers. 
i've been using password gorilla because there was an android app that 
could read the same file format. that app seems to have gone away, so 
i'm in the market for a password manager that works on both linux and 
android. any suggestions? and what do you think of these newfangled 
password management services that also keep your passwords online? i 
normally rely on my regular backup to backup my password database.

m

On 04/10/2014 11:32 AM, Jeff Bragg wrote:
> 1.  As I understand it, you should only need to update your password once
> per site, as long as you update it *after* they've patched their OpenSSL
> installation.  Using the check tools I included links for should help
> determine, for the most part, who has and hasn't upgraded (though I've
> found some sites don't respond properly to the first one, like ebay and
> linkedin).
>
> 2.  I believe it's only the server's RAM which is at risk.  The leak
> happens during heartbeat checks (assuming it wasn't compiled with that
> option turned off).  I *think* this only applies to the server end of the
> transaction; as far as I know (and perhaps Rick can weigh in on this), RAM
> on your localhost (assuming you aren't running a web server and using a
> compromised version of OpenSSL) is not vulnerable due to this bug.  Thus,
> in theory, your risk should be relatively low (though not guaranteed to be
> non-existent) for sites you haven't visited recently.  But don't take that
> to mean that you shouldn't aggressively update your passwords to be on the
> safe side (but again, *after* you know the site has upgraded).
>
>
> On Thu, Apr 10, 2014 at 10:48 AM, Michael Shiloh <
> michaelshiloh1010 at gmail.com> wrote:
>
>> Thanks for starting this thread. I've been following this closely and have
>> some questions:
>>
>> (1)
>> As I understand it, change passwords now, since many sites have already
>> implemented fix, but to be really safe you have to change passwords
>> continuously until all sites you visit have fixed this bug.
>>
>> Am I correct?
>>
>> (2)
>> As I understand it, vulnerable sites include those that we don't have to
>> log into, and that the secrets they gather might include secrets relating
>> to other sites.
>>
>> In other words, if I avoid visiting my bank's website, and yet my bank's
>> login credentials are in RAM for some reason, and I visit some other random
>> site that has been compromised, that site could read my RAM and thus
>> acquire the credentials to my bank.
>>
>> Am I correct?
>>
>>
>> On 04/09/2014 08:55 PM, Jeff Bragg wrote:
>>
>>> Clear your browser data, too.  Non-revoked certificates can still
>>> potentially be used to exploit older sessions (originating from before
>>> upgrade).
>>>
>>>
>>> On Wed, Apr 9, 2014 at 8:47 PM, Jeff Bragg <jackofnotrades at gmail.com>
>>> wrote:
>>>
>>>   I forgot to mention, if you use SSL certificates, replace/reissue them
>>>> (key and cert both).
>>>>
>>>>
>>>> On Wed, Apr 9, 2014 at 8:41 PM, Jeff Bragg <jackofnotrades at gmail.com>
>>>> wrote:
>>>>
>>>>   I would imagine that most members of this list are already aware of
>>>>> this,
>>>>> and have taken steps towards remediation, but in case you haven't heard
>>>>> of
>>>>> this, or haven't updated OpenSSL anywhere you have it installed, or
>>>>> haven't
>>>>> changed your passwords, this particular bug, publicly announced earlier
>>>>> this week, is very serious.  The long and the short of it is that the
>>>>> vulnerable sites may have leaked your (not to mention other users and
>>>>> their
>>>>> own) information in a way that is not detectable, and which can leave
>>>>> users
>>>>> open to man-in-the-middle attacks, retroactive decryption of data
>>>>> captured
>>>>> previously, and so forth.  Many (I hope most) major sites have remedied
>>>>> the
>>>>> problem on their servers, but seemingly few have bothered to tell their
>>>>> users that they *must change their passwords* in order to ensure safety
>>>>>
>>>>> going forward (except for sites that were never vulnerable, but I would
>>>>> not
>>>>> personally take their word for it).
>>>>>
>>>>> In other words, go change your passwords as soon as possible.
>>>>>
>>>>> More information:
>>>>>
>>>>> http://heartbleed.com/
>>>>>
>>>>> http://security.stackexchange.com/questions/55075/does-
>>>>> heartbleed-mean-new-certificates-for-every-ssl-server/55087#55087
>>>>>
>>>>> http://unix.stackexchange.com/questions/123711/how-do-i-
>>>>> recover-from-the-heartbleed-bug-in-openssl
>>>>>
>>>>> And some sites for testing vulnerability:
>>>>>
>>>>> http://filippo.io/Heartbleed/
>>>>> https://www.ssllabs.com/ssltest/
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> sf-lug mailing list
>>> sf-lug at linuxmafia.com
>>> http://linuxmafia.com/mailman/listinfo/sf-lug
>>> Information about SF-LUG is at http://www.sf-lug.org/
>>>
>>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/
>>
>

More information about the sf-lug mailing list