Skip to comments.‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
Posted on 04/08/2014 6:13:21 PM PDT by Drago
Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.
(Excerpt) Read more at krebsonsecurity.com ...
List of top sites: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
I’ve read that OSX get’s a pass on this.
What does OSX got to do with this?
This is a server side issue.
It is on the web server side (not your local PC). Sites you use could be compromised (around 500 million sites?). See: http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
Someone at an open WiFi ‘hotspot’ could have a field day with this. Of course, anyone with half a brain should know better than do anything sensitive at all in such places. (this probably eliminates 90% of the population)
Virtually all net traffic could be intercepted and human readable.
Make that “half a million” not 500 million...sorry.
It isn't necessarily 'server side' either. It could allow someone to 'impersonate' a secure server and intercept data intended to be sent to it.
Holy crap, this is huge. What’s bad is that the certificate private key is exposed. That means someone can steal the certificate and impersonate the site.
This is open source software that is used on servers (primarily but not exclusively servers running Linux).
Sponsoring FReepers are contributing
$10 Each time a New Monthly Donor signs up!
Get more bang for your FR buck!
Click Here To Sign Up Now!
Yah. Bad deal. Need to know more.
“Ive read that OSX gets a pass on this.”
I hope that was satire. Perhaps not from a Mac user though... just so you know, the horrific vulnerability exposed a couple of months back in OSX 10 was a client-side exploit unique to Macs that allowed third-parties to view what should have been secure and encrypted communication, and is totally unrelated to this security issue.
Your issue was client-side, this is a different issue server-side. Whatever bandaids Apple may have applied to your Mac has absolutely zero to do with this new exploit, and will do nothing to protect you.
Trying to translate into Mac-User-language, think of it as the difference between someone sitting hopping in your car and looking over your shoulder as you type in your PIN# at the ATM, versus someone being able to electronically harvest any PIN number from any ATM.
The first instance, the client-side Mac exclusive exploit, was simply the fault of Apple and Mac Users. Like manufacturing a car without door locks, buying said car, and not taking any personal security measures to stop someone from hopping into the passenger seat and asking you what’s up.
The second instance is a bit more like ATM manufacturers using a method of encrypting and storing PIN numbers that someone was able to decode, allowing unauthorized persons to view data that should be securely encrypted.
You can’t really do anything client-side to fix this exploit, nor can Apple do anything. It’s up to each individual webpage or service on the net using the outdated versions of OpenSSL to update their servers to a more recent version of OpenSSL, and reset user passwords.
“Virtually all net traffic could be intercepted and human readable.”
Nope, just sites running an outdated version of OpenSSL, of which naturally Yahoo is one. It’s just incumbent on web admins to update their libraries and reset user passwords.
There’s already an OpenSSL update to solve that problem. The answer for those using open source operating systems is to update.
The way I understand it, OSX still uses version 9, version 9.6-10.2 has the leak.
If an instance of 9 on the host sync’s up with 9 on OSX where’s the problem.
It’s not an “outdated version”. It is what was the current version before this bug was found. I checked both my Linux boxes, and both were running a vulnerable version.
For my Raspberry Pi computer runs a somewhat obscure distro (Raspbian) that doesn’t even have an updated openssl package that does not have the issue. So I’ve had to take that machine off the internet for now (it was hosting my remotely accessible cat treat feeder, which has an HTTPS web site).
And even if the site owner updates openssl, there is no guarantee that the private key for his web site certificate wasn’t stolen in the interval before the software was updated. If an attacker was able to steal the private key, he could potentially impersonate the site and steal user’s passwords and other info.
This is a huge big deal that we will be sorting out for some time.
Sites can be tested by entering URLs behind the link.
Interesting related article...
The Howard Schmidt guy at his company’s site:
The openssl vulnerabilities page: