The "Heartbleed" Bug

DRIFT3R_X7 · Apr 9, 2014

I feel that now would be a good time to talk about what is going on around the internet these days. If you didn't know, there is a new bug going around the internet, known as 'Heartbleed'. A link for more info about Heartbleed can be found here. So... anyone got any opinions about this?

List of every company affected by Heartbleed can be found here: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

Robin · Apr 10, 2014

So on the one hand sites are saying change your password because of this, on the other hand they are saying that changing it now whilst all the spotlight is on it will make it even more likely your new one will be stolen. :ouch:

And this bug has been around for 2 YEARS.... epic fail.

niky · Apr 10, 2014

On a less serious note... who actually uses Yahoo mail? It's the most insecure mail server in existence. Half the people I know who Yahoo have had their accounts hacked, and that was before Heartbleed became possible...

DK · Apr 10, 2014

I'm glad I don't have either my bank account or Paypal account linked to my Yahoo email account, then. :lol:

NLxAROSA · Apr 11, 2014

And this is why you should always go for two-factor authentication, if it's an option.

Ibonibo · Apr 11, 2014

I use yahoo mail :lol:

But only for stuff like gaming, forums,...
I have so many mail accounts, from gmail to yahoo to my own mail server

I had my account hacked once in all the 15 years using yahoo. 1 account out of 10 I have on yahoo.
Ever since I have a computer, I never have gotten my system infected.
That's the most common problem, so many people having old anti-virus, no firewall and the computer full of trojans. That's the most common way, pw get stolen.

And even if something happens, as I don't act careless (secure p/w, always different p/w,...), my bank will always give me my money back.

But this man made bug is really big. Facebook, Steam,... so many high profile sites...

CodeRedR51 · Apr 11, 2014

I have an account there but haven't actively used it in a few years. I use Gmail now...

NLxAROSA · Apr 12, 2014

Robin.
So on the one hand sites are saying change your password because of this, on the other hand they are saying that changing it now whilst all the spotlight is on it will make it even more likely your new one will be stolen.

You should only change your password if you know the site in question has upgraded their OpenSSL stack AND they changed their SSL certificate (including keys) after upgrading.

Robin · Apr 12, 2014

NLxAROSA
You should only change your password if you know the site in question has upgraded their OpenSSL stack AND they changed their SSL certificate (including keys) after upgrading.

Has Yahoo been fixed? I don't know if they have taken action yet.... you would think so being such a big company.

NLxAROSA · Apr 12, 2014

As far as I know Yahoo has been fixed.

daan · Apr 12, 2014

The BBC published a list of sites and whether they were vulnerable, and if they have been fixed or not.

http://www.bbc.co.uk/news/technology-26971363

DK · Apr 12, 2014

And now it looks like the NSA are embroiled in this.

BobK · Apr 12, 2014

Not surprising that we'd be hearing something like this. Whether it's actually true or not, the agency would deny it; we all know that. And regardless of the evidence (which right now is pretty much unsourced rumors) a lot of people would believe they were involved.

Myself, I don't know. But I regret to say I do find it believeable.

NLxAROSA · Apr 13, 2014

It's very easy to prove they were at least not responsible for it, since commit logs for OpenSSL are public. Did they use it when they found out? Probably yes.

niky · Apr 13, 2014

That... that is damn scary.

BobK · Apr 13, 2014

NLxAROSA
It's very easy to prove they were at least not responsible for it, since commit logs for OpenSSL are public. Did they use it when they found out? Probably yes.

Do you personally know the backgrounds of everybody who made a commit to the the code? I surely don't.

I do agree with you, though, that the NSA (probably) wasn't responsible for planting the bug although I certainly don't rule out the possibility. However, the more I read about this the more convinced I become that the NSA knew about the bug very early on.

For those who may not understand how the bug works, here's one of the best explanations I've seen yet:

EDIT:
Nevermind, treed by @niky!

NLxAROSA · Apr 13, 2014

BobK
Do you personally know the backgrounds of everybody who made a commit to the the code? I surely don't

You don't have to, many other people do know the people in these open source communities. In this case it's a German developer that fixed many issues and bugs before introducing a new one because he (and the code reviewer) missed a validation check.

GTboyz · Apr 28, 2014

im a bit slow about this, so basically what does this bug do ?

niky · Apr 28, 2014

GTboyz
im a bit slow about this, so basically what does this bug do ?

Exactly what the comic in Post #15 states. You can query a server to see that it's still there. The server returns the canned response you ask it to send, but you can trick it to send much, much more information than that.

All you have to do is sift through the information sent back and you can glean passwords, credit card numbers and a whole lot of other stuff.

Grayfox · Apr 28, 2014

The "Heartbleed" Bug

DRIFT3R_X7

Robin

niky

Karma Chameleon

DK

No-one's having an A1 day

NLxAROSA

King of Rockay

Ibonibo

CodeRedR51

NLxAROSA

King of Rockay

Robin

NLxAROSA

King of Rockay

daan

Salut Gilles

DK

No-one's having an A1 day

BobK

NLxAROSA

King of Rockay

niky

Karma Chameleon

BobK

NLxAROSA

King of Rockay

GTboyz

niky

Karma Chameleon

Grayfox

Similar threads

Latest Posts