Heartbleed bug

Hide sidebar Show sidebar
GO-NAD!

GO-NAD!

Audioholic Spartan
Anyone here concerned about this? I'm not really geeky enough to fully grasp the implications, but if this has been an issue for a couple of years, could it really be that bad?
 
TLS Guy

TLS Guy

Seriously, I have no life.
GO-NAD! said:
Anyone here concerned about this? I'm not really geeky enough to fully grasp the implications, but if this has been an issue for a couple of years, could it really be that bad?
Click to expand...
It probably is. Time to go back to the quill and ink!
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
GO-NAD! said:
Anyone here concerned about this? I'm not really geeky enough to fully grasp the implications, but if this has been an issue for a couple of years, could it really be that bad?
Click to expand...
It's worse than bad, much much worse. If anyone here is running a website or a portion of website protected by SSL (https://www.xxxxxxxxxxx.xxx/)
Same thing for SFTP sites, SSH remote access etc...

If you don't know any of these terms - you probably have nothing to worry about, except of-course using above mentioned protocols and tools and worrying about your personal data leaking.

Tell your IT people to patch the systems ASAP
 
jinjuku

jinjuku

Moderator
Yes it is bad. Tuesday we patched all our Linux boxes.

Even if you don't understand what the terms mean, trust me, you are using those technologies.
 
fuzz092888

fuzz092888

Audioholic Warlord
From what I've read it sounds pretty bad. Any company that uses SSL encryption could have had data stolen from it without zero traces. Check your bank accounts regularly :eek:
 
Steve81

Steve81

Audioholics Five-0
fuzz092888 said:
From what I've read it sounds pretty bad. Any company that uses SSL encryption could have had data stolen from it without zero traces. Check your bank accounts regularly :eek:
Click to expand...
Isn't it a vulnerability in OpenSSL (one variant, as opposed to all SSL/TLS implementations)?
 
Adam

Adam

Audioholic Jedi
There's a whole slew of things out there that are "bad." There's always something that could be a problem. Some we find, most we don't. Some are related to cyber security, some to health, and so on. Could this make my life worse? Yes. But, so can a lot of other things. Because I'm not responsible for websites that use this, I'm not going to worry about it. If someone drains my bank account, odds are they're going to do the same to a lot of other people, and I have paper statements showing my balances.
 
GO-NAD!

GO-NAD!

Audioholic Spartan
jinjuku said:
Yes it is bad. Tuesday we patched all our Linux boxes.

Even if you don't understand what the terms mean, trust me, you are using those technologies.
Click to expand...
I have a basic grasp of what it means and I realize that SSL is used practically everywhere, but if this has been a problem for a couple of years, you would think that someone would have been able to take advantage of it by now. If someone has been exploiting it, they've been very crafty about it. Otherwise, wouldn't we be hearing reports of breaches of secure sites that couldn't be explained?
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Steve81 said:
Isn't it a vulnerability in OpenSSL (one variant, as opposed to all SSL/TLS implementations)?
Click to expand...
Yes, but it's like saying it's an issue with fuel combustion engine (one variant, as opposed to all types of engines)

Most of internet is built on lamp - probably around 70% and vast majority of these sites use openssl to implement secure access then needed.
 
Steve81

Steve81

Audioholics Five-0
BoredSysAdmin said:
Yes, but it's like saying it's an issue with fuel combustion engine (one variant, as opposed to all types of engines)

Most of internet is built on lamp - probably around 70% and vast majority of these sites use openssl to implement secure access then needed.
Click to expand...
Not to underplay the issue, but there's still a significant difference between saying "most websites" and "all websites" will be impacted. It's nice to know my Outlook.com account won't be impacted for example.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
Steve81 said:
Not to underplay the issue, but there's still a significant difference between saying "most websites" and "all websites" will be impacted. It's nice to know my Outlook.com account won't be impacted for example.
Click to expand...
Biggest sites I believe were updated quite rapidly (yesterday) , but there are still hundreds of thousands which were not
 
jliedeka

jliedeka

Audioholic General
Not every site that uses SSL, even using OpenSSL is vulnerable. The stats I saw showed the minority using the SSL heartbeat feature. The ones that didn't enable it aren't vulnerable. SSH is not affected.

Apparently the issue is in OpenSSL's wrapper code around malloc and free. It allowed reading past the end of a buffer. Theo DeRaadt, the maintainer of OpenBSD had some choice words about OpenSSL's design.

Jim
 
jinjuku

jinjuku

Moderator
How does the end user know if the SSL encrypted website they are using uses that method?

I'm just happy I use a password manager. Different, long, with unique character passwords thank you very much.
 
jinjuku

jinjuku

Moderator
I know about the utility. But what I am saying is we are in the know. How is Joe User going to know.
 
3db

3db

Audioholic Slumlord
I'm chiming in now. First off, I don't know why they call it a bug. Its not a bug as in malware. Its simply a security hole with GNU based OpenSSL. Solaris/Oracle branded openssl is safe. Secondly, you would need to be a mathematician to take advantage of this security hole in reconstructing memory segments that is available for viewing in this hole. The problem lies with the media and its sensationalism and bottom line of making money instead of accurately reporting what constitutes news. This is far too overhyped.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
3db said:
I'm chiming in now. First off, I don't know why they call it a bug. Its not a bug as in malware. Its simply a security hole with GNU based OpenSSL. Solaris/Oracle branded openssl is safe. Secondly, you would need to be a mathematician to take advantage of this security hole in reconstructing memory segments that is available for viewing in this hole. The problem lies with the media and its sensationalism and bottom line of making money instead of accurately reporting what constitutes news. This is far too overhyped.
Click to expand...
One does indeed have to be a very smart folk to find at the first place, but the problem is one does not have to too bright to use since proof of concept code become available.
Even the slightest (smaller than winning megaball lottery) change of leaking private keys is HUGE issue by itself.
Again it's not Solaris or BSD servers which power huge portion of the internet, but specifically gnu based distros which used gnu based OpenSSL. The saving grace is not everyone (minority) had heartbeat feature turned on.
 
BoredSysAdmin

BoredSysAdmin

Audioholic Slumlord
3db said:
Its not a bug..
Click to expand...
Yes it is.
Security issue in the code is definitely a code bug. No bug as in malware, but as in issue in the programming.
And this is not "over-hyped" enough.
 
You must log in or register to reply here.

Latest posts

newsletter

  • RBHsound.com
  • BlueJeansCable.com
  • SVS Sound Subwoofers
  • Experience the Martin Logan Montis

Sitemap

Sitemap

Site Information

Site Information

HTML

audio forum
  • Facebook
  • Youtube
  • Twitter
  • instagram
  • rss
Top