Forums

Re: Y'all Better Watch Out!

• thebigeasy707 5,885 Posts

  Wed, Apr 9 2014 1:06 PM

  Mushy01:

  Not my "Quotes" TBE m8 ;-)

  Sorted M8.

   

  http://heartbleed.com/

  Am I affected by the bug?

  You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

  How widespread is this?

  Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

  What versions of the OpenSSL are affected?

  Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

  Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

  *** Note***

  If folks are using FTP programs to upload / download, you might just want to check the ftp program's version of OpenSSL. FlashFXP just updated to 1.0.1g this morning.

  It's always advisable to take  notice of any threat. Don't want to get caught with my pants down :)

   

   

• ThreeSpot 476 Posts

  Wed, Apr 9 2014 1:55 PM

  Mushy01:

  The bug was introduced in the 1.01 version of OpenSSL in 2012.

  This means that attackers may have been exploiting the bug for two years; revealing emails, instant messages and browsing data.

   

  Correct - user names, passwords, encryption keys all may have been compromised. The particularly nasty thing about this bug is that the SSL certificate holder (your financial institution/service provider/vendor/etc) cannot determine through their logs if your data was compromised. They can only determine if the vulnerability existed, not whether it was actually exploited. It also won't do you any good to change your password anywhere you have one until the site in question applies the bug fix.