Friendly forums for passionate Dems!
More than 91 million posts since 2001
Home Latest Greatest Videos Forums Hide ads Join up!
Home Latest Greatest
Videos Forums Help
Hide ads Join up!
Latest Discussions»Latest Breaking News»MAJOR OPENSSL BUG 'PUTS L...
Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

Latest Breaking News

Related: General Discussion, Editorials & Other Articles

Lodestar

(2,388 posts) Wed Apr 9, 2014, 09:19 AM Apr 2014

MAJOR OPENSSL BUG 'PUTS LARGE NUMBERS OF WEBSITES AT RISK' (Heartbleed Bug)

Source: CBR

As many as two-thirds of websites currently online could be affected by security flaw.

A serious vulnerability has been discovered in the open-source encryption software used in many of the world's websites that could allow attackers to steal a variety of information unnoticed.

The 'Heartbleed' bug potentially allows access to the memory of systems that currently run one of several vulnerable versions of the OpenSSL cryptographic software library.

OpenSSL is used to protect websites, instant messaging, email server protocols, virtual private networks and other online communications.
The flaw could reveal the authentication and encryption keys used to protect traffic, as well as details such as usernames and passwords.
Due to the nature of the of the bug, however, the attackers will leave no trace in server logs, so there is no way of knowing if the flaw has been exploited.

Read more: http://www.cbronline.com/news/security/major-openssl-bug-puts-large-numbers-of-websites-at-risk-4210975


Change your passwords.
InfoView thread info, including edit history TrashPut this thread in your Trash Can (My DU » Trash Can) BookmarkAdd this thread to your Bookmarks (My DU » Bookmarks) 15 replies, 1830 views
ShareGet links to this post and/or share on social media AlertAlert this post for a rule violation PowersThere are no powers you can use on this post EditCannot edit other people's posts ReplyReply to this post EditCannot edit other people's posts Rec (13) ReplyReply to this post
15 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
MAJOR OPENSSL BUG 'PUTS LARGE NUMBERS OF WEBSITES AT RISK' (Heartbleed Bug) (Original Post) Lodestar Apr 2014 OP
I'm changing my password to HEARTBLEED Orrex Apr 2014 #1
Will changing the password now help if the bug is still out there? stevenleser Apr 2014 #2
That's what appears 2naSalit Apr 2014 #4
Each site has to patch the OpenSSL software THEN create a new certificate Paulie Apr 2014 #6
Now I feel 2naSalit Apr 2014 #3
Heartbleed LiberalArkie Apr 2014 #5
Already updated on Ubuntu. L0oniX Apr 2014 #7
"a known bug since March 2012" (?!) KurtNYC Apr 2014 #8
But...danger! Danger! randome Apr 2014 #9
That's a lot of data Paulie Apr 2014 #11
Only affects some versions TrogL Apr 2014 #10
That's not a good excuse dickthegrouch Apr 2014 #12
Yup, as soon as our vendor releases an approved patch TrogL Apr 2014 #13
, blkmusclmachine Apr 2014 #14
I don't understand marions ghost Apr 2014 #15
 

stevenleser

(32,886 posts)
2. Will changing the password now help if the bug is still out there?
Reply to Lodestar (Original post)
Wed Apr 9, 2014, 09:35 AM
Apr 2014

The next time you logon to a website that hasn't implemented fixes will put your new password at risk, right?

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

Paulie

(8,462 posts)
6. Each site has to patch the OpenSSL software THEN create a new certificate
Reply to stevenleser (Reply #2)
Wed Apr 9, 2014, 09:45 AM
Apr 2014

So if you check the security certificate and it is new as of 4/8/2014 then you're good to go on changing that site's password. Changing it before they update both parts means you'll need to change it again.

Not all sites use OpenSSL but a majority do.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

2naSalit

(86,675 posts)
3. Now I feel
Reply to Lodestar (Original post)
Wed Apr 9, 2014, 09:37 AM
Apr 2014

somewhat vindicated for not conducting transactions online that require any financial info or personal stuff that could be used in ID theft.

But I have been changing passwords anyway.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post
 

randome

(34,845 posts)
9. But...danger! Danger!
Reply to KurtNYC (Reply #8)
Wed Apr 9, 2014, 10:55 AM
Apr 2014

[hr][font color="blue"][center]If you don't give yourself the same benefit of a doubt you'd give anyone else, you're cheating someone.[/center][/font][hr]
TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

Paulie

(8,462 posts)
11. That's a lot of data
Reply to KurtNYC (Reply #8)
Wed Apr 9, 2014, 01:00 PM
Apr 2014

64k of is about 32,000 ASCII characters. And there is no limit how many times you can ask for a chunk of 64k.

What's worse is it also can be part of the servers SSL private key. Spend 5 minutes and you will have massive amounts of accounts and potentially data to impersonate as the server!

Pretty bad bug.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

dickthegrouch

(3,178 posts)
12. That's not a good excuse
Reply to TrogL (Reply #10)
Wed Apr 9, 2014, 01:55 PM
Apr 2014

Just because all your software is based on more than 4 year-old technology and therefore is not susceptible to this bug, does NOT mean your site is not just as easily compromised in some other way.

Get it updated, soon.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post

marions ghost

(19,841 posts)
15. I don't understand
Reply to Lodestar (Original post)
Thu Apr 10, 2014, 02:52 AM
Apr 2014

why they didn't do something about this sooner. I'm just a lowly user and not real tech savvy, but it seems to me SOMEbody knew about this and it was inconvenient to reveal it widely.

I'm suspicious.

TopBack to the top of the page AlertAlert this post for a rule violation ShareGet links to this post PowersThere are no powers you can use on this post
  EditCannot edit other people's posts RecommendRecommend this post ReplyReply to this post
Reply to this discussion
Latest Discussions»Latest Breaking News»MAJOR OPENSSL BUG 'PUTS L...
Home | Latest Discussions | Greatest Discussions | Latest Videos | All Forums

About | Copyright | Privacy | Terms of service | Contact

In Memoriam

© 2001 - 2024 Democratic Underground, LLC. Thank you for visiting.