[Paladin2]

Drive down and talk to your local, cute Teller.

[Steely Tom]

The code vulnerability exists within layers of secure Internet server coding.

If a vulnerability can exist with "layers of secure coding" and undermine the whole structure, why do we call them "layers?"

[Monty22002]

This appears to be ‘the big one’ and it was open source.. And the bug went unnoticed since late 2011.. This is a huge blow.

I updated my client stuff to 1.01g, which is fixed. But who knows how long actual web site owners will take to upgrade.

[moose07]

Ping !,,,,!,,,!

[Proud2BeRight]

This is all Algore’s fault. He invented a flawed internet.

[A_Tradition_Continues]

Any other source other than “The Blaze?” Hate that site and all of its’ pop-ups.

[Menehune56]

So it sounds like the problem is with how individual sites handle SSL. Anyone know if Bank of America or PayPal websites are affected by this?

[Chode]

check out your bank/etc here to see if it is vulnerable

http://lastpass.com/heartbleed/

[Lake Living]

Here’s a good source with a few things users can do to help protect themselves. However, it’s the hosting sites and their version of OpenSSL. So ultimately, end users can’t do too much.

http://www.macobserver.com/tmo/article/dealing-with-heartbleed-what-you-need-to-know?utm_campaign=tmo_twitter

[Inyo-Mono]

Bttt.

[Billthedrill]

Spent most of the day on it. What you do is patch OpenSSL on the affected servers and then apply new certs (the old ones could have been compromised). The problem with that is that the cert vendors have been absolutely swamped all day. I'm sitting on my thumb waiting for about a dozen at the moment. One ploy is to go to self-signed certs but that's only a temporary solution in our environment.

The way it works is simply that a remote user can grab memory from any server running OpenSSL in 64K chunks, as many times as he wants, and piece together anything that was there. Logins, passwords, account numbers, email, you name it. Any time for the past two years.

For the user, a change of password is mandatory for any site that uses SSL, which is practically anything where you'd pass money. Most of the bigger vendors are already patched but only since Monday. There's still that two-year window. This is a huge, gaping security hole.

Changing your password on an unpatched site/server is useless. The new one could be instantly compromised. HERE is a means you can use to test whatever site whose safety you need to verify.

[Defiant]

I tested freerepublic.com, and the result came back: dial tcp 209.157.64.200:443: connection refused

Are the passwords here at risk? Were they previously? Or is this only for secure web sites?

[proxy_user]

The exploit is diabolically simple.

Read about heartbeats in RFC 6520. A heartbeat consists of a type code, a length, some data, and at least 16 bytes of padding. You send this to the server, and it echoes back your data and resets the timeout timer.

Someone saw that in this implementation, no one was comparing the length field to what you actually sent. You could sent a heartbeat with a length field of 10K, but only have 2 characters of data. The server will put your 2 characters in memory, and then you back 10K starting at at the address of your 2 characters. That memory would have been recently released by other processes, and contains who know what.

Since a heartbeat resets your timeout, you could send heartbeats all day and collect enormous amounts of server memory, some of which would be bound to contain something interesting.

[Uri’el-2012]

Is heartbleed a Microsoft only problem ?

[TurboZamboni]

Beck just got new Lifelock ad material.