Skip to comments.‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
Posted on 04/08/2014 6:13:21 PM PDT by Drago
Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.
(Excerpt) Read more at krebsonsecurity.com ...
List of top sites: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
I’ve read that OSX get’s a pass on this.
What does OSX got to do with this?
This is a server side issue.
It is on the web server side (not your local PC). Sites you use could be compromised (around 500 million sites?). See: http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
Someone at an open WiFi ‘hotspot’ could have a field day with this. Of course, anyone with half a brain should know better than do anything sensitive at all in such places. (this probably eliminates 90% of the population)
Virtually all net traffic could be intercepted and human readable.
Make that “half a million” not 500 million...sorry.
It isn't necessarily 'server side' either. It could allow someone to 'impersonate' a secure server and intercept data intended to be sent to it.
Holy crap, this is huge. What’s bad is that the certificate private key is exposed. That means someone can steal the certificate and impersonate the site.
This is open source software that is used on servers (primarily but not exclusively servers running Linux).
Sponsoring FReepers are contributing
$10 Each time a New Monthly Donor signs up!
Get more bang for your FR buck!
Click Here To Sign Up Now!
Yah. Bad deal. Need to know more.
“Ive read that OSX gets a pass on this.”
I hope that was satire. Perhaps not from a Mac user though... just so you know, the horrific vulnerability exposed a couple of months back in OSX 10 was a client-side exploit unique to Macs that allowed third-parties to view what should have been secure and encrypted communication, and is totally unrelated to this security issue.
Your issue was client-side, this is a different issue server-side. Whatever bandaids Apple may have applied to your Mac has absolutely zero to do with this new exploit, and will do nothing to protect you.
Trying to translate into Mac-User-language, think of it as the difference between someone sitting hopping in your car and looking over your shoulder as you type in your PIN# at the ATM, versus someone being able to electronically harvest any PIN number from any ATM.
The first instance, the client-side Mac exclusive exploit, was simply the fault of Apple and Mac Users. Like manufacturing a car without door locks, buying said car, and not taking any personal security measures to stop someone from hopping into the passenger seat and asking you what’s up.
The second instance is a bit more like ATM manufacturers using a method of encrypting and storing PIN numbers that someone was able to decode, allowing unauthorized persons to view data that should be securely encrypted.
You can’t really do anything client-side to fix this exploit, nor can Apple do anything. It’s up to each individual webpage or service on the net using the outdated versions of OpenSSL to update their servers to a more recent version of OpenSSL, and reset user passwords.
“Virtually all net traffic could be intercepted and human readable.”
Nope, just sites running an outdated version of OpenSSL, of which naturally Yahoo is one. It’s just incumbent on web admins to update their libraries and reset user passwords.
There’s already an OpenSSL update to solve that problem. The answer for those using open source operating systems is to update.
The way I understand it, OSX still uses version 9, version 9.6-10.2 has the leak.
If an instance of 9 on the host sync’s up with 9 on OSX where’s the problem.
It’s not an “outdated version”. It is what was the current version before this bug was found. I checked both my Linux boxes, and both were running a vulnerable version.
For my Raspberry Pi computer runs a somewhat obscure distro (Raspbian) that doesn’t even have an updated openssl package that does not have the issue. So I’ve had to take that machine off the internet for now (it was hosting my remotely accessible cat treat feeder, which has an HTTPS web site).
And even if the site owner updates openssl, there is no guarantee that the private key for his web site certificate wasn’t stolen in the interval before the software was updated. If an attacker was able to steal the private key, he could potentially impersonate the site and steal user’s passwords and other info.
This is a huge big deal that we will be sorting out for some time.
Sites can be tested by entering URLs behind the link.
Interesting related article...
The Howard Schmidt guy at his company’s site:
The openssl vulnerabilities page:
From your link (THANKS!)
All good, us-mg6.mail.yahoo.com seems not affected!
“The way I understand it, OSX still uses version 9, version 9.6-10.2 has the leak. If an instance of 9 on the host syncs up with 9 on OSX wheres the problem.”
No. You don’t understand.
Short summary - your data is vulnerable, your Mac is not immune.
This exploit is not a Mac exploit, it’s an OpenSSL exploit. Do you know what those words mean? Mac and OpenSSL? Mac is the obsolete and obscenely overpriced computer that some bright marketers repackaged in order to sell to technophobes - OpenSSL is a piece of software used by some websites to encrypt information.
Why do you mistakenly think your Mac, or your operating system, can protect you from flaws in the software that Yahoo and other websites use to store information or communicate with you?
Let me explain it from your end. When you turn on your computer and open your web browser, you can communicate with other computers in the world. The websites you visit, like Free Republic and Yahoo, are actually files located on the harddrives of other computers.
When you log in to a website in order to purchase something, or log in to an account in order to email someone or post on a discussion board, those other computers that are hosting those sites and services use encryption software in order to communicate private details with your computer.
OpenSSL is one of the types of encryption software used to communicate encrypted information (passwords, credit card numbers, etc.).
However, there’s a problem, one of the types of software used to encrypt user data and communications has a flaw. That flaw is unrelated to the problem Mac users had a few months back, when their Macs basically went around screaming to everyone that was listening “HEY EVERYONE! Look at what this guy is trying to encrypt!”
The fact that a few months back your crappy, obsolete, overpriced idiot-box wasn’t even bothering to properly use encryption for communication of sensitive information is totally and completely unrelated to the fact that one of the pieces of software people can use to encrypt information has a flaw in it.
Your operating system has nothing to do with the software Yahoo and other sites have installed on their own machines.
Nor does a patch to your Mac meant to get it to use encryption properly in the first place do anything whatsoever to fix any flaws encryption method or the software used to communicate encrypted information.
The fact that a few months back anyone in the world could view what a Mac user was doing (because the Mac wasn’t even really bothering to encrypt anything) is totally and completely unrelated to the fact that encryption can be broken. Apple may have come along and gotten your overpriced, obsolete piece of technology-for-the-technically-challenged to finally use encryption, but there’s a flaw in some of the encryption software out there.
Oh don’t get me wrong, this is a significant exploit, but I was responding to the assertion that virtually all net traffic would become readable.
OpenSSL is used by linux-folks like us (I’ve already updated my slackware boxes) and a fraction of webservers - as you said often but not exclusively Linux-based webservers (and automated cat treat machines, sadly). That’s a far cry from all net traffic, though it still remains a significant exploit - especially for the cats.
This will result in a number of costly problems, but most M$ and Mac users out there aren’t going to be seeing it manifest personally, and are just going to be experiencing their web-services updating their software and shuffling around user-logins - most of what they’re going to have to be doing will likely be related to user-prompts and password changes popping up once sites start trying to sort out the mess of potentially compromised private master keys, potentially compromised session cookies, and spoofed site certifications.
On the admin side this is one hell of a hairball to sort out.
Some people are born as arrogant pricks, they make up for a defective personality by making their opinions sound important.
I was responding to the assertion that virtually all net traffic would become readable.That certainly wasn't an assertion that I made. The point I was making is that the site owner won't necessarily know whether or not his private key was stolen, and end users won't know whether a HTTPS site they are visiting has had it's key stolen. You can patch your software to remove the vulnerability, but the horse has already left the barn.
Thanks. Looks like my sites at InMotion are vulnerable. Good thing I’m not doing any commerce on them.