Time to change your PWs? The SSL "heartbleed" bug discussion

[cha cha]

Hello all, kinda surprised with all the tech-talk folks looming around the boards this hasn't been brought up yet.

But anyways, just dropping a quick PSA for those who haven't kept up with interwebz talk.

You might have seen some news over the past few days about some "world ending" SSL bug called "heartbleed", and the articles will tell you that SSL is all busted up and online security is done for...

Well, not quite that bad. But 'heartbleed' actually is a pretty huge bug which has been in the wild a prolonged period of time and has been on a bunch of different "major" sites, and lots of important things are vulnerable to it. One of my friends checked his banking website last night (citibank) and yeah, it was vulnerable.

'Heartbleed' is a bug in openSSL which allows an attacker to read arbitrary amounts of information from a server. This means it's possible to recover usernames, passwords, private keys, a whole bunch of information that you really don't want people to have. And while it doesn't necessarily impact all of us (surprisingly none of the major sites I have sensitive data stored on were impacted), knowing it's a huge pain in the ass- It is probably worth your time to change passwords on important websites that you care about having data compromised on.

Also 'heartbleed' is hilariously, a glaringly dumb bug, how was this not checked before?

So yeah, if people have questions about what 'heartbleed' is and how it works feel free to post them, so we all can discuss. I've got a rather rudimentary understanding of it right now, but am happy to dig deeper into it and learn more about it from others who are in the know. Plus don't wanna waste time infodumping if it's not of interest to the community at large.

Here is the "best" database I have found so far listing impacted sites: https://github.com/musalbas/heartbleed- ... op1000.txt

Ars coverage: http://arstechnica.com/security/2014/04 ... ords-asap/

Cheers, and I hope no one has already been victimized due to this crap.

[fastbilly1]

I found out about it a couple days ago at work, Racketboy updated the SSL last night so no worries here. Granted the SSL access is nothing that standard users here need to worry.

[cha cha]

I definitely wasn't concerned just racketboy, but thanks for easing those concerns to anyone curious.

This was more of an attempt to warn those who log/store data on many sites may want to check up on their accounts and update PWs and whatnot. Plus a chance to discuss it for those who are "in the know." about such dealings and what it all really means to general users.

[TSTR]

Thanks for the database link, cha. Looks like I'm good.

[fastbilly1]

I understand Chacha, I just thought since I talked to Racket about it this morning I should post it up.

[cha cha]

@ TSTR- just be advised that "master list" is nowhere near complete. Just the best all-in-one I could find. Double check places where you have sensitive data stored and see if they have an announcement about any breaches that affect end users.

I specifically wanted to call out 'heartbleed' as something serious because the media really loves to oversell vulnerabilities as "Encryption is dead, security is impossible, everybody has all your data!!!1!1", when that's not really the case. My former boss tried to have a conversation with me last summer about how "Oh the paper says that RSA is broken" and I had to explain the difference between implementations of RSA being bad and the fundamental assumption behind RSA (viz. factoring really large numbers is super hard) being untrue.

If somebody tells you that 'heartbleed' means SSL is overall insecure, they're wrong. The specification of SSL is just fine; 'heartbleed' is related to an implementation problem in the OpenSSL framework. If somebody tells you that all your passwords for any site which uses OpenSSL should be considered compromised, that sounds very similar to saying SSL is insecure, but it's way more accurate and something everybody should be at least curious about.