[sf-lug] Heartbleed TLS/SSL bug

[The Doctor]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 04/10/2014 11:32 AM, Jeff Bragg wrote:
> 1.  As I understand it, you should only need to update your
> password once per site, as long as you update it *after* they've
> patched their OpenSSL installation.  Using the check tools I
> included links for should

That is correct.

> 2.  I believe it's only the server's RAM which is at risk.  The
> leak happens during heartbeat checks (assuming it wasn't compiled
> with that option turned off).  I *think* this only applies to the
> server end of the transaction; as far as I know (and perhaps Rick
> can weigh in on this), RAM on your localhost (assuming you aren't
> running a web server and using a compromised version of OpenSSL) is
> not vulnerable due to this bug.  Thus, in theory, your risk should
> be relatively low (though

There is a proof-of-concept exploit in the wild that targets web
browsers specifically, but I have some doubts as to its effacacy.
Many browsers have their own crypto libraries (libNSS, for example)
that are probably not vulnerable.

> not guaranteed to be non-existent) for sites you haven't visited 
> recently.  But don't take that to mean that you shouldn't
> aggressively update your passwords to be on the safe side (but
> again, *after* you know the site has upgraded).

We're already seeing redacted parts of secret keys leaked, but I don't
think they're being abused.  Leaked login credentials, too.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

WWPMD? (What Would Paul Muad'dib Do?)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREKAAYFAlNIJXkACgkQO9j/K4B7F8FNzQCcCYG8lV3LJTzDSVm/IXQfOMwR
96IAn1slKSbGW2eVDZKkApAJeYJJmNz6
=0P0I
-----END PGP SIGNATURE-----