 | Forum Threads |  |
| Random Photo | |
| Member Poll | |
|
| Comments |
on April 09 2014 08:37:41
Could one of you who knows about this stuff please elaborate? |
on April 09 2014 10:04:43
I think that article is really good, and explains the issue quite well. It doesn't go into technical details, but this link (from the article) does.
To summarize, the Heartbeat extension is a keep-alive feature for TLS (the successor to SSL) that minimizes renegotiation of a secure channel. This consists of some communication back and forth between the client and the server, where the client sends some data and then requests it back. The bug means that OpenSSL doesn't check that what you request back has the same length as what you sent; i.e. you can send 1 KB of data and request 64 KB back, and then you'll get 63 KB of data from the server's memory. 64 KB is the limit, but you can request again and again. The extra data you get is straight from memory, and as such you don't know what you're getting, but you can analyze the data and figure out what it is. You might even find sensitive data, even private keys, which in turn can be used to read all communication to/from the site.
This is a code error, which means that exploiting this bug will not raise any red flags by any security measures on the server. The exploiting client request is perfectly valid.
Good Q&A site by the discoverers of the bug: Heartbleed.com
What can/should you do? Do NOT change all your passwords (they might get exposed due to this bug). Avoid using netbanks etc. for a few days. If you need to do something, check the site before you connect using this site or LastPass´ test. There's even a Chrome extension, Chromebleed. These should be safe, and have been recommended by security experts. The site you want to access might also have a news page/blog or similar, that explains that they have updated OpenSSL and are no longer vulnerable. It is safe/recommended that you change your password AFTER confirmation that the site is secure. |
on April 09 2014 13:49:41
Btw, this might be an opportunity to set up two-factor authentication for important/sensitive sites, like Gmail, Facebook, etc. Two-factor authentication means that in addition to your password, you get a separate code via SMS or an app on your phone. This code changes every minute. If your password gets leaked/hacked, it will be useless without your phone.
The site itself has to support two-factor authentication, here is a list. Some sites use SMS, some use apps, some offer both. I use an app called Authy, as a single app for many services. Usually, when logging in to a site where you have enabled this, you will get an option to trust the computer, and then you won't have to enter the generated code every time you log on from that computer.
Two-factor authentication can be a bit bothersome, but it greatly improves your security.
Another security measure you might want to consider, is using a password manager like LastPass, KeePass or 1Password (or iCloud KeyChain, but that is for Apple platforms only). These can generate unique, complex passwords for every service you use, and remember them for you. You then only have to remember one password. Oh, but don't use your browser's password manager! |
on April 09 2014 15:47:00
One password to remember all the other passwords! - better not forget that one 
Here in the faroes, people are always complaining about SSL.. |
on April 09 2014 15:55:04
One password to remember all the other passwords!
One Password to rule them all, One Password to find them,
One Password to bring them all and in the Cloud bind them
In the Land of the NSA where the Shadows lie. |
on April 11 2014 20:29:14
http://xkcd.com/1354/ |
|
|
| Post Comment | |
Please Login to Post a Comment.
|
|
|
| Login | |
Forgotten your password? Request a new one here.
|
| | 
| Last Seen Users | |
| Obituaries | |
You must login to post a message.
|
| |
|
Breaking
