Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Heartbleed Bug: Chartier Explains How Codenomicon Found The Massive Internet Security Breach
IBTimes.com ^ | April 09 2014 10:16 PM | By Ryan W. Neal

Posted on 04/11/2014 8:22:27 AM PDT by topher

The cybersecurity firm that discovered the so-called Heartbleed bug, a gaping hole in the most widely used software privacy and security software on the Internet, said the flaw went undetected for two years because of the large amount of intensive work it takes to manually test encryption software.

(Excerpt) Read more at ibtimes.com ...


TOPICS: Business/Economy; News/Current Events
KEYWORDS: codenomicon; heartbleed
Dallas Morning News article calls for changing passwords.

But does this hole needs to be fixed before changing passwords (changing passwords helps some). But what good if the hole is not fixed?

1 posted on 04/11/2014 8:22:28 AM PDT by topher
[ Post Reply | Private Reply | View Replies]

To: topher; ShadowAce

For your Tech Ping list...


2 posted on 04/11/2014 8:30:17 AM PDT by CedarDave (CNN: The "Crisis News Channel" - all Flight 370 hysteria and global warming blather, all the time.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: topher
Other Freerepublic articles on Heartbleed:

[BBC] Heartbleed bug creates confusion on internet

[Krebs on Security] ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

3 posted on 04/11/2014 8:31:49 AM PDT by topher (Traditional values -- especially family values -- which have been proven over time.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; Calvinist_Dark_Lord; JosephW; Only1choice____Freedom; amigatec; Still Thinking; ...

4 posted on 04/11/2014 8:32:57 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: topher
Am I wrong for thinking this ... We truly don't know what coding actually exists? Has this coding had two years to rewrite itself, as appears? I am wondering why changing passwords is the temporary fix; If the coding is rewriting itself could the coding not steal those passwords also?

I'm at a total loss to understand what is taking place regarding this hole. Guess I'm just plain stupid but hey I suspected such a long time ago.

5 posted on 04/11/2014 8:38:08 AM PDT by no-to-illegals (Scrutinize our government and Secure the Blessing of Freedom and Justice)
[ Post Reply | Private Reply | To 1 | View Replies]

To: topher
Another Freerepublic.com Article on Heartbleed:

[The Blaze] Heartbleed: How the Net Bug That Caught Tech Experts by Surprise Affects You

6 posted on 04/11/2014 8:39:08 AM PDT by topher (Traditional values -- especially family values -- which have been proven over time.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: topher

I think I found some of the answers I sought at my post #5 in your post #6 topher. Thank You.


7 posted on 04/11/2014 8:46:24 AM PDT by no-to-illegals (Scrutinize our government and Secure the Blessing of Freedom and Justice)
[ Post Reply | Private Reply | To 6 | View Replies]

To: no-to-illegals
Believe it or not, I had trouble posting that The Blaze link. I had to go to a different computer, and I used a different browser to be able to post it...

I think some folks are getting testy in Washington, DC (Fort Meade) about some issues...

Keep the heat on, GOP House!!!

8 posted on 04/11/2014 9:09:21 AM PDT by topher (Traditional values -- especially family values -- which have been proven over time.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: topher
For the completely tech illiterate such as myself who has know idea what all this really means......

http://money.cnn.com/2014/04/10/technology/security/heartbleed-passwords/index.html

Websites are racing to patch the Heartbleed bug, the worst security hole the Internet has ever seen.

As sites fix the bug on their end, it's time for you to change your passwords. The Heartbleed bug allowed information leaks from a key safety feature that is supposed to keep your online communication private -- email, banking, shopping, and passwords.

Don't change all your passwords yet, though. If a company hasn't yet updated its site, you still can't connect safely. A new password would be compromised too.

Many companies are not informing their customers of the danger -- or asking them to update their log-in credentials. So, here's a handy password list. It'll be updated as companies respond to CNN's questions.

Change these passwords now (they were patched)

•Google, YouTube and Gmail

•Facebook

•Yahoo, Yahoo Mail, Tumblr, Flickr

•OKCupid

•Wikipedia

Don't worry about these (they don't use the affected software, or ran a different version) [I think I will still worry anyway]

•Amazon

•AOL and MapQuest

•Bank of America

•Capital One bank

•Charles Schwab

•Chase bank

•Citibank

•E*Trade

•Fidelity

•HSBC bank

•LinkedIn

•Microsoft, Hotmail and Outlook

•PayPal

•PNC bank

•Scottrade

•TD Ameritrade

•Twitter

•U.S. Bank

•Vanguard

•Wells Fargo

Don't change these passwords yet (still unclear, no response)

•American Express

•Apple, iCloud and iTunes

9 posted on 04/11/2014 9:10:28 AM PDT by Envisioning (It's the Jihad, stupid......)
[ Post Reply | Private Reply | To 1 | View Replies]

To: no-to-illegals

You raise an interesting point. If this was undetected for 2 years, why didn’t whoever found it just tell the people who make the software so they could fix it without the bad guys ever knowing that the security problem existed?


10 posted on 04/11/2014 9:11:27 AM PDT by Defiant (Let the Tea Party win, and we will declare peace on the American people and go home.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: topher

“But does this hole needs to be fixed before changing passwords (changing passwords helps some). But what good if the hole is not fixed? “

Correct. Does no good to change until fixed. Plus lots of the really big sites weren’t affected anyway. So you wouldn’t even know where to change.

Not to mention this is all completely hypothetical anyway as there has been no documented case of this exploit being utilized.

Actually, I think “killer computer bug” is a new genre of media alarmism, akin to killer sun spots, the coffee crop will be wiped out, and the chocolate crop will be wiped out. Each of these surfaces in the media every two years like clockwork.


11 posted on 04/11/2014 9:24:36 AM PDT by catnipman (Cat Nipman: Vote Republican in 2012 and only be called racist one more time!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: no-to-illegals

OpenSSL is open source. You can download and go through the tomes of code. Nothing about it is secret.

Changing passwords is futile unless and until the website has patched their OpenSSL servers.

Here’s what most companies, mine included, are doing right now:

1. All certification authorities (CAs) have had their private keys revoked, all certificates issued by the CAs have been revoked, the servers are patched, rebooted, and the private key is reissued.

2. All servers with certificates signed by the CA are deleted from the server certificate store. New certificate signing requests (CSRs) are generated and issued to the CA. The CA signs the new certificate, and the servers are placed back in production.

3. Any servers with self-signed certificates are patched and rebooted. The private keys are deleted and regenerated. Certificates are generated with those keys, and the servers are put back into production.

It’s seems like a minor thing, but if you don’t have the proper infrastructure in place, it could take up to 20 minutes per server. My company alone has over 3,000 servers in production.


12 posted on 04/11/2014 9:25:01 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Envisioning

Just FYI, OpenSSL is NOT the only player on the market for encryption. Microsoft has its own certificate services. The major public key infrastructure (PKI) players such as VeriSign and Thawte are unaffected, as they have proprietary encryption signing software.

If sites like Amazon, AOL, Fidelity, LinkedIn, etc. show they’re not affected, they’re not affected. They don’t use OpenSSL for encryption.

This is one of those things where you really do get what you paid for.


13 posted on 04/11/2014 9:27:22 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: topher; All
Codenomicon has set up the website: HeartBleed.com to document the problems with Heartbleed...
14 posted on 04/11/2014 9:28:45 AM PDT by topher (Traditional values -- especially family values -- which have been proven over time.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: topher

Heartbleed explained

http://xkcd.com/1354/


15 posted on 04/11/2014 9:29:25 AM PDT by AppyPappy
[ Post Reply | Private Reply | To 1 | View Replies]

To: Defiant

OpenSSL is open source. Making something like this public to the open source community means it spreads like wildfire and causes panic.

They did the right thing. They found the vulnerability, worked with the key players in the open source community to ensure the patches were pushed to affected platforms, and only after the patch has been pushed to a majority of affected platforms do they go public.

This patch was actually pushed 2 months ago. Since certificates are generated and are generally valid for at least a year and sometimes over 5, there are a lot of vulnerable certificates out there in the wild that were generated with the affected software, thus leaving software vulnerable.


16 posted on 04/11/2014 9:29:56 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: rarestia
Just FYI, OpenSSL is NOT the only player on the market for encryption. Microsoft has its own certificate services. The major public key infrastructure (PKI) players such as VeriSign and Thawte are unaffected, as they have proprietary encryption signing software.

See, just that paragraph which makes complete sense to you might as well be written in Japanese as far as me understanding it.....LOL!

I just posted that article as an explanation to the "illiterate" as it made the most sense to me as to which systems/companys were affected/or not. Sorry if I only added to the confusion.

17 posted on 04/11/2014 9:34:06 AM PDT by Envisioning (It's the Jihad, stupid......)
[ Post Reply | Private Reply | To 13 | View Replies]

To: rarestia; Defiant; topher

Thanking Each of You for your responses.


18 posted on 04/11/2014 9:39:55 AM PDT by no-to-illegals (Scrutinize our government and Secure the Blessing of Freedom and Justice)
[ Post Reply | Private Reply | To 12 | View Replies]

To: Envisioning

I’m just trying to clarify things for lay people. My personal phone has been vibrating off my desk with calls from friends and family asking if they’re safe.

Encryption is one of those things that most web users just expect to work as intended. When you get into the finer points of it, even security professionals, myself included, have a hard time admitting that it’s foolproof. There’s a LOT that can be screwed up if you don’t know what you’re doing, and on the surface it might look like you’ve configured a perfectly functional secure environment, but to a trained hacker or government operative, you’ve created a honey pot of personal data.

The media is fanning some intense flames on this. I’m trying to throw a little water on to them, because people get worked into a froth over this stuff.


19 posted on 04/11/2014 9:41:16 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: topher

IMO this was not discovered by hackers. If it had been then it would have wound up being overused to the point where security firms would have gone searching for the flaw long ago. It would also have been picked up in short order by white hat guys that run everything that leaves their computers through a filter that looks for suspicious strings
and other things.

It may have been code planted in SSL by an NSA operative working on the open source code though.

Since Snowden, everyone is scrambling to encrypt everything end-to-end. This does not preclude snooping on an individual using a court order but end-to-end encryption for the bulk of net traffic means the end of wholesale snooping on everyone....NSA is saddened, it is what they have long feared.

Now to get real encryption for cell traffic instead of the gov approved weak crypto in use now.


20 posted on 04/11/2014 9:42:40 AM PDT by Bobalu (Four Cokes And A Fried Chicken)
[ Post Reply | Private Reply | To 1 | View Replies]

To: topher

Intrusion detection picked up the first attack on this exploit early this AM in the network I manage..


21 posted on 04/11/2014 9:48:43 AM PDT by IamConservative
[ Post Reply | Private Reply | To 1 | View Replies]

To: topher

Bump for later!


22 posted on 04/11/2014 9:49:46 AM PDT by dcwusmc (A FREE People have no sovereign save Almighty GOD!!! III OK We are EVERYWHERE!!!)
[ Post Reply | Private Reply | To 14 | View Replies]

To: rarestia

One additional question rarestia, please. If one does not do anything online other than browse, visit this site of FR and send emails to family from one email site ... from all can gleam that individual is basically safe and may not even need to change their passwords? Is that statement / question an affirmative or am I misreading the information?


23 posted on 04/11/2014 9:56:18 AM PDT by no-to-illegals (Scrutinize our government and Secure the Blessing of Freedom and Justice)
[ Post Reply | Private Reply | To 19 | View Replies]

To: no-to-illegals

Remember that SSL is used to mask your traffic. Since sites like FR, FoxNews, Drudge, etc. don’t use SSL (http vs https), then you really have little with which to be concerned.

Anywhere that sensitive data is passed, anywhere a password is required, anywhere that personally identifiable information is presented to an entity outside of your circle of trust, you SHOULD be using SSL or your data could be compromised.

So to answer your question, are you safe? Sure, you’re safe insomuch as insecure traffic isn’t affected by this data breach. If, however, you are reading your email on a site that does not use SSL or logging into a site, such as FR, where your login is not protected by SSL, then you’re passing all of your credentials and data to that server in clear text which can be read by anyone. Food for thought.


24 posted on 04/11/2014 10:24:17 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 23 | View Replies]

To: rarestia
Thank You for a logic answer and an answer each of us can take literally as being Food for thought.
25 posted on 04/11/2014 10:44:53 AM PDT by no-to-illegals (Scrutinize our government and Secure the Blessing of Freedom and Justice)
[ Post Reply | Private Reply | To 24 | View Replies]

To: topher

This site will test any domain to give you some idea of security and whether is is effected by heartbleed or not.

https://www.ssllabs.com/ssltest/


26 posted on 04/11/2014 10:57:52 AM PDT by Lake Living
[ Post Reply | Private Reply | To 1 | View Replies]

To: AppyPappy

That is great. I hope everyone who is wondering what this is all about looks at that. It is clear and accurate.


27 posted on 04/11/2014 11:09:15 AM PDT by T. P. Pole
[ Post Reply | Private Reply | To 15 | View Replies]

To: topher
One of the arguments made for open source software is that all the extra eyes on the code detect bugs faster. It apparently did not work in this case.
28 posted on 04/11/2014 7:36:49 PM PDT by beef (Who Killed Kennewick Man?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Lake Living
I tried this with a couple of banks, and one bank "flunked" and another bank could not be rated.

And these were major banks...

29 posted on 04/11/2014 7:53:51 PM PDT by topher (Traditional values -- especially family values -- which have been proven over time.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: ShadowAce

You seem pretty up on this stuff. This thread http://www.freerepublic.com/focus/f-chat/3143545/posts
says you don’t have to be concerned if you have an apple phone or computer. I’m somewhat skeptical. Is this correct? I thought the problem was on the site you are visiting.


30 posted on 04/11/2014 8:24:46 PM PDT by Lurkina.n.Learnin
[ Post Reply | Private Reply | To 4 | View Replies]

To: Lurkina.n.Learnin
The problem is on the site you are visiting.

However, Apple is claiming that its server-side services are not vulnerable--which is great.

They threw in the other products in that announcement--I think--merely as a matter of marketing.

31 posted on 04/12/2014 7:19:09 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 30 | View Replies]

To: ShadowAce

That’s what I thought. It sounds like a false sense of security if people think they are safe because they use a Mac when what you are using isn’t the problem in the first place.


32 posted on 04/12/2014 7:22:24 AM PDT by Lurkina.n.Learnin
[ Post Reply | Private Reply | To 31 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson