onjegolders Posted April 10, 2014 Share Posted April 10, 2014 Panic? Link to comment Share on other sites More sharing options...
cstevensjr Posted April 10, 2014 Share Posted April 10, 2014 Why panic? We just should be aware and become knowledgeable about solutions. Until hosting providers and major websites identify and update their code, there's not much we can do about the situation. Changing passwords would be premature until the code is updated/verified and SSL certificates are reissued. 3 Link to comment Share on other sites More sharing options...
Pete Posted April 10, 2014 Share Posted April 10, 2014 I know Servint updated servers as soon as the patch was released, but if you want to check for yourself and are on a Linux server then this is really useful: http://blog.servint.net/2014/04/08/patching-heartbleed-bug-openssl/ There seems to be a lot of panic over it to be honest and not enough clear information that mainly affects Linux servers, and not enough helpful links like the one I just posted to see if you're affected. If in doubt though, contact your Web host. 2 Link to comment Share on other sites More sharing options...
MatthewSchenker Posted April 10, 2014 Share Posted April 10, 2014 Greetings,I have two opposite interpretations here...I think this is a good moment for us to remember how complex Internet security really is. We can sometimes get the idea that if we just run this or that script we have it covered. But I've been researching security over the past few months, and I'm amazed at how murky the situation is. It seems to me that a lot of our "security" is an illusion. It's only secure as long as no one seriously tries to break in. If a malicious person has enough knowledge, motivation, and time, nothing is completely secure.On the other hand, the "Heartbleed" situation reveals that even security problems are more contained than they first appear. With all the hype, you would think that every server in the world is broken. Read further and you see that most servers weren't even running the compromised SSL library. And the ones that were compromised were able to seal the hole quickly.On a related matter, this situation also revealed how poorly most people understand the basics of the Internet. Advice to rush out and change your passwords was silly. If the server was compromised, your data isn't made safe by changing your password; if the server was "fixed," there is no need (of course, changing passwords regularly is a good idea for entirely separate reasons). Major newspapers published inaccurate (even damaging) information. For example, The New York times published an article suggesting it was the open source nature of the SSL library that is the problem, stating that "its code resides online and can be amended by anyone."There is a lot we can learn here about security, but the lessons are not always so clear.Thanks,Matthew 5 Link to comment Share on other sites More sharing options...
Pete Posted April 10, 2014 Share Posted April 10, 2014 Oh, and the other panicky information I hate at the moment is that some sites are recommending change passwords immediately when the correct course of action is probably to change them in a few days so services you use have a chance to patch their servers - otherwise you may get complacent and think you're safe but the server may still have been compromised. It's a bit of a mess to be honest, but most companies seem to be reacting swiftly. One thing I will be trying to do is keep a comprehensive list of sites I have an account with in future. 3 Link to comment Share on other sites More sharing options...
Joss Posted April 10, 2014 Share Posted April 10, 2014 There is an argument to change them twice - once now because you may already have been hacked and then once you are sure services have changed. But the main thing being pushed in the press is to not duplicate the use of passwords, so this might be beneficial just as a reminder. The other problem with waiting is that this is fine if you are in the business. If you are just a normal internet user, how will you know if that forum you use has been updated or not? The chances are you wont have the foggiest so you could be waiting for ever. Complicated as hell. 1 Link to comment Share on other sites More sharing options...
cstevensjr Posted April 10, 2014 Share Posted April 10, 2014 Changing passwords now is basically a gut reaction, a fear. This issue (the vulnerability) has been in existence for quite some time. Knowledgeable security individuals have known about this for some time. The fact that we (the public) are just now finding out about this means they now have a workable patchable solution. We all felt safe before we knew about this. The only thing that has changed so far is our knowledge of the vulnerability. We need to be reasonable and take a measured approach to our online security. You better believe this isn't the only vulnerability out there, it's just the latest we have found out about. If this wasn't related to an Open Source solution, we would still be in the dark, however we would feel secure. Not having the same password is a common sense practice. Security is not glamorous or fun. It takes an effort on the individual to make it work. Security is not profitable, so the corporations will not spend the money or time on it. Users want ease-of-use not complicated security policies. They only want security when the outside world touches them personally or financially. Don't get me wrong, this is very important and should be a wake up call to some. It's a constant reminder that we need to review and revamp our own personal security practices. 7 Link to comment Share on other sites More sharing options...
teppo Posted April 10, 2014 Share Posted April 10, 2014 I found this post kind of interesting: http://article.gmane.org/gmane.os.openbsd.misc/211963. Haven't checked the facts myself so can't really vouch for it, but if it's true.. well, it does tell something about the mindsets of the developers working on this particular product. > >> "read overrun, so ASLR won't save you"> >> > What if malloc's "G" option were turned on? You know, assuming the> > subset of the worlds' programs you use is good enough to run with that.>> No. OpenSSL has exploit mitigation countermeasures to make sure it's> exploitable. Security in general is very complicated thing like Matthew already pointed out, but too often vulnerabilities are (at least partly) a result of laziness, general ignorance and/or bad practices. 1 Link to comment Share on other sites More sharing options...
pwired Posted April 10, 2014 Share Posted April 10, 2014 check heartbeat data leaks: https://zmap.io/ or chromebleed Link to comment Share on other sites More sharing options...
netcarver Posted April 10, 2014 Share Posted April 10, 2014 Krebs has just posted some guidance about heartbleed that might be of interest. FWIW, the Lastpass SSL checker is showing Processwire.com as vulnerable. 2 Link to comment Share on other sites More sharing options...
apeisa Posted April 10, 2014 Share Posted April 10, 2014 It's already patched: https://www.ssllabs.com/ssltest/analyze.html?d=processwire.com&hideResults=on but sertificate is not changed. Link to comment Share on other sites More sharing options...
Soma Posted April 10, 2014 Share Posted April 10, 2014 SSL means sweet sugar lullaby? Link to comment Share on other sites More sharing options...
Soma Posted April 10, 2014 Share Posted April 10, 2014 Why exactly was nsa listening to SSL? Link to comment Share on other sites More sharing options...
teppo Posted April 11, 2014 Share Posted April 11, 2014 Thanks, netcarver -- the article was great and the video linked from there was even better. Every good explanation needs a hand (or mouse) drawn diagram Link to comment Share on other sites More sharing options...
Recommended Posts