Heartbleed - Change yo passwords

This may be the biggest security vulnerabilty of all time.

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

The scope of this bug can't be underestimated. Essentially an attacker can connect to any server running OpenSSL and steal anything in process memory including the encryption keys. ( Silently )

This means:

An attacker can just open a connection to your bank over https and silently download among other things the keys used to prove to browsers that the bank is who they say they are.

From now on they can pretend to be your bank and you will get the nice green secure tick in your browser, stealing all your communication.

Up to 70% of the internet has been totally insecure for 2 years and will be for a while yet.

You can rectify the problem by installing the latest version of OpenSSL but there is no way to know you haven't already had your keys stolen.

The only way to be secure is to upgrade OpenSSL. Create new certificates and revoke your old certificates. Sysadmins the world over are about to have a very bad week.

Some good discussion happening over at HN: https://news.ycombinator.com/item?id=7548991
Here is the security advisory from OpenSSL: https://www.openssl.org/news/secadv_20140407.txt
Site to test if you're vulnerable: http://filippo.io/Heartbleed/

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

How widespread is this?

Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

The following operating systems have shipped with vulnerable versions of OpenSSL

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c)
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Source:http://www.reddit.com/r/programming/comments/22ghj1/the_heartbleed_bug/

 

'n hide yo wife.

Not sure how relevant this still is (since it's a week old) or how serious it is but it's worth a shout maybe:

http://techcrunch.com/2014/04/07/ma...sl-could-effect-a-huge-chunk-of-the-internet/

The sites affected: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

As soon as it was found a patch was basically immediately released. My brother works for a hosting company so he's had to run hundreds of patches and it's all I've heard about for the past few days, hah. Usually complaints about idiotic clients who don't read emails and keep on harassing him about whether or not their sites are affected.

I don't think it's really of major issue to most people, as if it had been a commonly used exploit in hacking it would have emerged a lot sooner in the security scene and something would have been done earlier.

 

Laterally, then, let's discuss why the internet and internet-stored data will be the downfall of us all one day

 

Because people and companies have very poor security measures. Most people only use 1-3 passwords, and password recovery methods that sites use such as pre-made 'security questions'. If someone manages to get on your email (from phishing, infecting, or searching your information against leaked or cracked databases), they can not only access and recover your passwords for everything you used that email to register for, they can also change the recovery information for all of your accounts. Even relatively tech-savvy people fall prey to these sorts of traps, and once someone gains access to your accounts once, it becomes incredibly difficult to make sure that you have secured it.

 

wow thats crazy

 

I once saw the probably fake FBI email leak that appeared on pastebin and the passwords were like abc123 - I bet it wasn't far from the truth

 

Ugh again..
Thanks for sharing Roary, would probably not have looked at any of my site passwords if it wasn't for that link you provided.
Time to change 10-odd passwords again

 

eventually the thing that we all love (internet) will destroy us all.

 

NSA just denied they were exploiting it a few days ago, but we all know that's all lies them faggots...