Worlwide Security Flaw - Heartbleed Bug

ssc456

Fully Optimized
Messages
4,280
So some "industry experts" are urging people to change every single internet password they have due to this security flaw . . .

BBC News - Heartbleed Bug: Public urged to reset all passwords

If i'm honest I've only briefly ready it as it doesn't concern me too much, I think if the bug has existed for 2 years then why is changing my password now going to make such a big difference?

*Edit. ohhhhh perhaps this is why:
"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," the company's associate director Ollie Whitehouse told the BBC.

"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information
 
Last edited:
Super Important Official With Super Important Sounding Title Like "Lead Security Officer of Corporate Security Operations" said:
"Oh hey, by the way, for the last two years you've been vulnerable to a breach in security, but don't worry we've fixed it and can absolutely 100% guarantee there are positively, absolutely no more vulnerabilities nor will there ever, ever be any again. We promise, cross our hearts!"


Actually, it is kind of crazy that this has existed for two years. It's my opinion that if it's been around for that long and we are just now hearing about it, it's unlikely that too many bad guys have gotten a hold of this info. On the other hand, now that they know about it, they will be targeting it so if companies don't apply the patch immediately then we might see some issues arise from it. They should have issues the patch first, before they told everyone in the world about it.
 
Last edited:
I don't understand the need to publish this as world wide news?

Why not let the security companies know, and allow them to issue a patch first, and then release this statement:

I agree, it looks like they tried to in part but it seems a little foolish the way they went about it:

The BBC understands that Google warned a select number of organisations about the issue before making it public, so they could update their equipment to a new version of OpenSSL released at the start of the week.

However, it appears that Yahoo was not included on this list and tech site Cnet has reported that some people were able to obtain usernames and passwords from the company before it was able to apply the fix.
 
likewise, if you changed your password on a site that was vulnerable BEFORE the bug was fixed, then you exposed both your old password AND your new password (not that great if you're using shared passwords!) (same passwords for multiple sites).


we're still changing SSL versions and applying for new certificates for a lot of the servers that we control (and are public facing) it's probably not safe to assume that all servers and services everywhere are safe now.


what is really pretty funy is the press releases from cert companies, if you've bought a cert from them, some are really helpful saying this is what this issue is, this is how you should resolve it, and let us know if you need to to generate new certificates, AND explaining the fastest way to get new certs... another cert company release a bulletin that said, it's not a problem with our certs, and if you use IIS it likely doesn't affect you, (without actually saying what was affected), just a shrug of responsibility, reassurance it's not their fault and leaving you to it!
 
I was reading it's a server side thing and has to be taken care of on their side of the screen. Am I interpreting that correctly?
 
Back
Top Bottom