Heartbleed

Apr 09, 2014 23:41

Everyone is panicking and rightfully so because a really, really awful security bug was discovered. One that lets people get random fragments of data that supposed to be supper secure. It is as bad as everyone says and you can't do anything about it - it has to be fixed on the server sites by providers - and noone knows what data got out - the chunks that were caught were random so maybe they got your credit card numbers they might've contained passwords or even SSL private encryption keys and then you could get everything else. Or just grab so many of those chunks you got everything anyway. That's why they called it Heartbleed.

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.

Half a million sites are vulnerable, including my own. Test your vulnerability here.

The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.

At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.


So to sum up not only you don't really know if you've been compromised (or where) you also cannot do anything about it. Just wait till it gets patched and change all your passwords. Again.

CNet checked the most popular American sites so you'll know which password you can change now.

The funny thing is I learned about it from xkcd (before all the big news outlets and official work emails).

programs, news, internet, tech

Previous post Next post
Up