Heartbleed Bug


V_R

¯\_(ツ)_/¯
Moderator
Joined
Jan 31, 2005
Messages
13,525
Reaction score
1,848
On top of the thread I put in the gaming section, ( https://www.pcreview.co.uk/forums/h...resolved-say-valve-t4063797.html#post14221577 ) I thought I'd post a bit more here for those who don't go in there much.


http://heartbleed.com/
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.


Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.


How widespread is this?

Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.



So, are you worried? Are you going to call in sick today and spend the day changing all your passwords like they suggested on GMTV this morning! :D (No I dont, she does, it was on, I caught that bit on the news!)
 
Ad

Advertisements

nivrip

Yorkshire Cruncher
Joined
Mar 21, 2007
Messages
9,752
Reaction score
1,900
So, will this be picked up by the popular anti virus packages that we all use?

Or, do we need to do something else, other than change passwords? (I don't intend to).

It's not clear to dummies like me just what all this means. :)
 

Taffycat

Crunchy Cat
Joined
Jun 1, 2006
Messages
11,867
Reaction score
952
Thanks for the heads-up re Steam, V_R. I was reading about the Heartbleed Bug on some of the News websites yesterday.

I also followed a link from one of them, to this Heartbleed-checker website: https://www.ssllabs.com/ssltest/ It will give a detailed report when you input an URL that you wish to check.

So, will this be picked up by the popular anti virus packages that we all use?

Or, do we need to do something else, other than change passwords? (I don't intend to).

It's not clear to dummies like me just what all this means. :)
No Niv, our anti-virus packages will not pick this up, because it's happening on the server-side. The Beeb have an article about it, as you might have seen: http://www.bbc.co.uk/news/technology-26954540
 

nivrip

Yorkshire Cruncher
Joined
Mar 21, 2007
Messages
9,752
Reaction score
1,900
Thanks for the info, TC.

I have already looked at one of the Heartbleed checking sites and found that Gmail and my bank have already patched this problem. Will check other sites when I have time.

Maybe I will change all my passwords, even though it is a hassle, as it's some time since I did any changes. These sort of scares often work as a good incentive. :)
 

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,718
Reaction score
1,392
If you do change passwords, this little tool is really handy:

http://keepass.info/

It will generate and securely store them for you - really handy if you have a randomly generated password for each site/app :). It can auto-type and a few other handy things, plus it's free :D.
 

muckshifter

I'm not weird, I'm a limited edition.
Moderator
Joined
Mar 5, 2002
Messages
25,650
Reaction score
1,153
there's been a 'flaw' for over two years, and now they are telling us to shut the barn door. :rolleyes:

even I don't know what my bank password is, never mind my bank. :)







Hey Ian, https://www.pcreview.co.uk/ failed. ;)
 
Ad

Advertisements

Becky

Webmistress
Joined
Mar 25, 2003
Messages
7,424
Reaction score
1,511
Saw this today which I thought was good:

heartbleed_explanation.png
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top