Go Back   Computer Forums > General Computing > Cyber Safety and Computer Security
Click Here to Login
Join Computer forums Today


Reply
 
Thread Tools Search this Thread Display Modes
 
Old 04-08-2014, 08:58 PM   #1
Golden Master
 
BK_123's Avatar
 
Join Date: Dec 2009
Location: Australia
Posts: 7,528
Default OpenSSL Bug

So as you've heard just now a bug in OpenSSL has been discovered and we are being urged to change our password and not logon to internet banking Users urged to change passwords after major flaw found in internet’s key encryption method | News.com.au
__________________

BK_123 is offline   Reply With Quote
Old 04-09-2014, 01:57 PM   #2
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: OpenSSL Bug

Indeed.

While this is a major issue from a technical point of view, there is little point in changing any passwords until:

a) you know that the service involved actually used OpenSSL, and
b) that they have updated their servers to solve the problem

The full technical details can be found here: Heartbleed Bug

As far as not using online banking and other (all) services, given that this bug has been present in the OpenSSL codebase since 2012 then it is unlikely to make a significant difference. I appreciate that there will now be a lot of people trying to exploit this wherever possible, but online financial transactions clearly can't be stopped overnight so for any given individual, the likelihood of compromise is low.

Ultimately, the guidance is to check what online services are affected by the Heartbleed bug by using this list: https://github.com/musalbas/heartble...er/top1000.txt and if one you use is on it, check that services information pages for their plans on fixing the issue and then change your password / follow their advice after the fix has been conducted.

For any personal banking (or other) website you wish to check which is not listed, please see this tool: Test your server for Heartbleed (CVE-2014-0160) (this is what was used to compile the aforementioned list).

I hope that puts people's minds to rest somewhat, the mainstream media simply isn't able to translate something this technical into sensible guidance.
__________________

_michaelm is offline   Reply With Quote
Old 04-09-2014, 10:48 PM   #3
Golden Master
 
BK_123's Avatar
 
Join Date: Dec 2009
Location: Australia
Posts: 7,528
Default Re: OpenSSL Bug

Apparently top sites such as Facebook, Google, Microsoft that use HTTPS haven't been affected as they use a version that is not affected if I'm correct.

---------- Post added at 12:46 PM ---------- Previous post was at 12:45 PM ----------

Apparently YAhoo has already been affected https://soundcloud.com/owasp-podcast...-elliot-on-the

---------- Post added at 12:48 PM ---------- Previous post was at 12:46 PM ----------

You can also tests site that use HTTPS using this website https://www.ssllabs.com/ssltest/index.html
BK_123 is offline   Reply With Quote
Old 04-10-2014, 01:46 PM   #4
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: OpenSSL Bug

Quote:
Originally Posted by BK_123 View Post
Apparently top sites such as Facebook, Google, Microsoft that use HTTPS haven't been affected as they use a version that is not affected if I'm correct
You are correct yes, but it's not a version of HTTPS (known as SSL 3.x / TLS 1.x) which makes you vulnerable or not, simply the cryptographic library that you're using to implement the HTTPS protocol (i.e. OpenSSL). In Facebook/Google/Microsoft cases they could be using any of the other providers.
_michaelm is offline   Reply With Quote
Old 04-10-2014, 03:09 PM   #5
Baseband Member
 
Join Date: Feb 2014
Location: United States
Posts: 89
Default Re: OpenSSL Bug

OMG!!!! I just heard of this in the news!!!!

Is the best advice to change all passwords? Is it safe to even surf the web???

By the way, I heard Yahoo! was even affected. I don't check my Yahoo! email account at home, but I HAVE browsed various Yahoo! webpages (like their sports), so would simply THAT have infected me?

I stopped checking my Yahoo! email account at home after they had that meltdown late last year where millions of people had malware installed on their computers. ....Why is Yahoo! - a MAJOR company - so bad with this stuff? GRRRR!!!!
jakeny is offline   Reply With Quote
Old 04-10-2014, 05:28 PM   #6
Site Team
 
Janet H's Avatar
 
Join Date: Dec 2011
Posts: 771
Default Re: OpenSSL Bug

Quote:
Originally Posted by jakeny View Post
OMG!!!! I just heard of this in the news!!!!

Is the best advice to change all passwords? Is it safe to even surf the web???

By the way, I heard Yahoo! was even affected. I don't check my Yahoo! email account at home, but I HAVE browsed various Yahoo! webpages (like their sports), so would simply THAT have infected me?

I stopped checking my Yahoo! email account at home after they had that meltdown late last year where millions of people had malware installed on their computers. ....Why is Yahoo! - a MAJOR company - so bad with this stuff? GRRRR!!!!
Good reading about this here: The Heartbleed Hit List: The Passwords You Need to Change Right Now
__________________
.
Relax! It's only ones and zeros.
Janet H is offline   Reply With Quote
Old 04-10-2014, 08:23 PM   #7
Golden Master
 
BK_123's Avatar
 
Join Date: Dec 2009
Location: Australia
Posts: 7,528
Default Re: OpenSSL Bug

Quote:
Originally Posted by Janet H View Post
Yes I've seen that one aswell, I've already advised friends and family to change their passwords online accounts..
BK_123 is offline   Reply With Quote
Old 04-11-2014, 01:52 PM   #8
In Runtime
 
Join Date: Feb 2013
Location: UK
Posts: 156
Default Re: OpenSSL Bug

Quote:
Originally Posted by jakeny View Post

Is the best advice to change all passwords?
No, not at all - see my earlier post and associated links for all those sites which are vulnerable.

Quote:
Originally Posted by jakeny View Post
Is it safe to even surf the web???
Yes, provided the sites you're logging in to either a) aren't vulnerable or b) were vulnerable, but have now been patched and you've changed your password (obviously on first re-login).
For those sites which are vulnerable, browse in non-https where possible (obviously without logging in)

Quote:
Originally Posted by jakeny View Post
By the way, I heard Yahoo! was even affected. I don't check my Yahoo! email account at home, but I HAVE browsed various Yahoo! webpages (like their sports), so would simply THAT have infected me?
Exploiting this vulnerability does not result in an infection on the end user machine, it is an information leak between the server and connect clients. Worst case, a portion of your machines RAM would be visible to the exploited server. To reiterate, you do not get a virus or any malware through this 'attack', it is completely transparent and undetectable from the client machine.

I hope that clarifies things for you.
_michaelm is offline   Reply With Quote
Old 04-12-2014, 08:32 PM   #9
Baseband Member
 
tmc8295's Avatar
 
Join Date: Apr 2013
Location: United States
Posts: 51
Default Re: OpenSSL Bug

As _michaelm already stated there is no point to changing your password until the website affected has patched the hearbeat update from which the heartbleed bug comes from. Until that group gets the update (for which there is already one available and several groups have already upgraded) there is no point to changing your password, once your group does install the new update however it would be wise to then change your password!


Sent from my GT-N5110 using Computer Forums mobile app
__________________

tmc8295 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -5. The time now is 03:12 AM.


Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0