It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
The flaw, nicknamed “Heartbleed,” is contained in several versions of OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. Most websites use either SSL or TLS, which is indicated in browsers with a padlock symbol.
The flaw, which was introduced in December 2011, has been fixed in OpenSSL 1.0.1g, which was released on Monday.
Martin Odhelius @modhelius 35m One of the biggest security bugs in history found in OpenSSL. If you've entered any password at ANY site the last 2 days, change it!
it's not clear how widespread the bug is or was, but it is thought that at least two-thirds of websites could be affected, as the most notable software using OpenSSL are the open source webservers Apache and nginx.
RationalDespair
There's a lot more info on this on Heartbleed.com. This vulnerability has been exposed for over two years now and it's impossible to determine what has been compromised or not.
The worst thing is that in order to close the vulnerability, all corporations and users of OpenSSL software have to become aware of this and install the "fix"-release a.s.a.p.
So yeah, I guess it's time to change passwords again...
shaneslaughta
A security hole in SSL is a serious problem. The biggest issue is credit card and banking information is all secured using SSL.
This is a truly frightening problem. I just made some purchases online a few days ago. :/
Edit:From me research so far, it seems to be a man in the middle attack of sorts. Someone captures your SSL encrypted packets and stores them locally to decrypt the contents.
If they had the ability to do it once, whats to stop them from doing it again?edit on 4/8/2014 by shaneslaughta because: (no reason given)
facebook requires you to give your real name when you sign up, if they suspect you are using a fake name they ask for your phone number to verify your identity, if you refuse to provide that then they ask for a photo copy of your government issue id, do you really want that sort of info floating around the world wide web?
An easy-to-use exploit that is being widely traded online allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL “libssl” library in chunks of 64kb at a time. As CERT notes, an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets.
Is this a MITM bug like Apple's goto fail bug was?
No this doesn't require a man in the middle attack (MITM). Attacker can directly contact the vulnerable service or attack any user connecting to a malicious service. However in addition to direct threat the theft of the key material allows man in the middle attackers to impersonate compromised services.
Who found the Heartbleed Bug?
This bug was independently discovered by a team of security engineers (Riku, Antti and Matti) at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools and reported this bug to the NCSC-FI for vulnerability coordination and reporting to OpenSSL team.
What versions of the OpenSSL are affected?
Status of different versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
How about operating systems?
Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:
Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)
Operating system distribution with versions that are not vulnerable:
Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14
SUSE Linux Enterprise Server
FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013
FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
RavenNinja
Do you not think it strange that this was made public rather than going through the usual channels of find exploit-report-claim bounty-patch issued-reported on news sites? It just simply went public.
Do you not think it strange that heart bleed.com was registered in the first place? Almost as if it was planned in advance...
Do you not think it is strange that main stream media, whilst reporting on it are down playing it?
Do you not think it strange that tor, our magnificent champion of anonymous browsing (partly funded by usg) issued a statement saying "If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle." blog.torproject.org...
Disclaimer: This scan was performed around April 8, 12:00 UTC, so please stop sending pull requests to remove your site!
shaneslaughta
reply to post by an0maly33
I just found out about it, havent had time to do anything yet. Looking into things now. I have multiple machines different setups. different os too. I have my work cut out for me. I dont have ssl certs. No need for them on my sites. Though i was planning an online store, things like this make me not want to do anything big like that. Too much responsibility with customer data.
diggindirt
Since I'm pretty much a box of rocks concerning computer security, may I ask a question about this issue?
I use my computer to cruise the net, do email, make pretty pictures, documents (mostly family history stuff) and play games. I don't use it to order stuff or for any financial stuff. I don't do any social networks. This site is about as social as I get.
My computer guru, the guy who built the machine for me, installs the security programs and updates them for me.
Should I be worried?
Thanks.
Chamberf=6
here's a place you can use to check if a patch or fix has been used for "secure" sites you may use:
lastpass.com...