• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style

Don't worry, only systems using OpenSSL 1.0.1 and 1.0.2beta are affected by this.

All Microsoft IIS servers are safe.
 
Elixer said:
Hmm... wonder if they will revoke all certs now ?
This was a pretty bad bug. 🙁
Click to expand...

If you were running a vulnerable version of OpenSSL and haven't re-keyed your certs yet, you're doing it wrong.

There is no way to possibly tell if someone compromised your server and has your key, the only safe option is to get rid of the old ones.
 
Does base DD-WRT or OpenVPN use OpenSSL? I may need to patch my own systems.

I already found out that I am running OpenSSL 1.0.1g on my XBian system, though I don't think I'm running any vulnerable services externally.
 
VirtualLarry said:
The NSA must be LOVING this. Or perhaps they are the ones that introduced the vuln two years ago, and have been exploiting it ever since.
Click to expand...

Nah, they're probably regretting that they hadn't found this earlier. The NSA revelations have led to increased scrutiny over security libraries, and that's how this was found.

The code containing this bug was authored by the person who co-authored the TLS heartbeat RFC, and he's a German, so all signs point to this being accidental, possibly the result of C being written by someone who probably doesn't work with C a lot (most computer scientists are so used to working with more abstract languages that they forget just how low-level something like C is).
 
palswim said:
Does base DD-WRT or OpenVPN use OpenSSL? I may need to patch my own systems.
Click to expand...

Although I'm having trouble locating the version of OpenSSL on my DD-WRT router, the Heartbleed site (see the "What versions of the OpenSSL are affected?" section) indicates that my router would only have this bug if it were using OpenSSL versions released after December 2011. Thankfully, I've been too lazy to update since 2010!
 
palswim said:
Does base DD-WRT or OpenVPN use OpenSSL? I may need to patch my own systems.

I already found out that I am running OpenSSL 1.0.1g on my XBian system, though I don't think I'm running any vulnerable services externally.
Click to expand...

Heartbeat was added to OpenSSL on New Year's Eve 2011, a minute before midnight (German time), so basically, anything from 2011 is safe by default.

DD-WRT started using the vulnerable code on 2012/04/29. Any DD-WRT build after (and including) 19163 has the flaw, and any build after (and including) 23882 has the fix.
 
Last edited:
Hmm...

I am logged into steam right now, and the name of my copy of South Park: STOT has been changed to "Valve please reset all partner logins because heartbleed". Does this indicate a vulnerability on valve's server side, or on my pc? What can I do to protect from data and account loss?
 
hardhat said:
Hmm...

I am logged into steam right now, and the name of my copy of South Park: STOT has been changed to "Valve please reset all partner logins because heartbleed". Does this indicate a vulnerability on valve's server side, or on my pc? What can I do to protect from data and account loss?
Click to expand...

Everyone is seeing that name change. Either the publisher changed the listing name for the game, or someone logged in as the publisher and changed the name of the listing.

Either way, there is nothing for you to do except change your password once it's clear that Steam has patched its servers.
 
John Connor said:
Are you guys talking about DD-WRT refering to the OpenVPN? Because I have DD-WRT, but I use SSH.
Click to expand...

SSH does not use SSL/TLS for its encryption, so it's unaffected.

DD-WRT's HTTPS-based remote management is obviously also affected, but that feature, like OpenVPN, is disabled by default.
 
Last edited:
VirtualLarry said:
The NSA must be LOVING this. Or perhaps they are the ones that introduced the vuln two years ago, and have been exploiting it ever since.
Click to expand...
I wouldnt doubt 4 a second they did!!

Crusty said:
There is no way to possibly tell if someone compromised your server and has your key, the only safe option is to get rid of the old ones.
Click to expand...
Yes and NOT USE OPENSSL!!! (Use another method)
 
Last edited:
I don't listen to that conspiracy nut. I personally think the problem was the "open" in Open SSL.

I wish all sites just used AES+Twofish. It's fast anyway and free! Why can't sites use just AES? I've seen my bank and a few others use AES, but most use RC4. Bah

I'm using an add-on for Pale Moon and Firefox called Cipherfox. It displays the type of encryption.
 
John Connor said:
I don't listen to that conspiracy nut. I personally think the problem was the "open" in Open SSL.
Click to expand...
Um, no? The problem was someone accidentally forgetting the number one rule of security programming: validate all input.

I wish all sites just used AES+Twofish. It's fast anyway and free! Why can't sites use just AES? I've seen my bank and a few others use AES, but most use RC4. Bah
Click to expand...
Erm...

First, AES is available for use in TLS. Second, which block cipher the server negotiates with the client to use is completely irrelevant here because Heartbleed has absolutely nothing to do with encryption.

TLS supports something called a "heartbeat", which is basically a "hey, are you still there?" to prevent the connection from timing out. I say to you, "Monkeys!", and you echo that back to me, and I know that you're still on the line with me.

The Heartbleed bug is the server not validating the the heartbeat input, thus causing it to including more data than it should in its return echo. I say to you, "Monkeys!" and tell you that you're supposed to echo back something two paragraphs long, and you didn't bother to check that my "Monkeys!" isn't actually two paragraphs long, so you echo back to me two paragraphs that consists of my "Monkeys!" and some random other words that you happened to have lying around to fill my two-paragraph request. And that extra data is basically random--it might be useless garbage, or it might be a chunk from a recent transmission from someone else containing sensitive data. That's it. None of the cryptographic bits were involved; the vulnerable code is completely unrelated to any of the cryptographic components.
 
Last edited:
John Connor said:
You say TLS, this is SSL. Or should I say SOL? LOL
Click to expand...

You do know that TLS is basically the new name that they gave SSL, right? (so instead of "SSL v4", it's "TLS") SSL and TLS are still used interchangeably in the vernacular.

OpenSSL may be called "SSL", but implements both SSL and TLS. Heartbeat is an extension of TLS, not SSL. And TLS supports AES as a block cipher (which SSL obviously doesn't because SSL predates AES).
 
Last edited:
You must log in or register to reply here.

TRENDING THREADS

Back
Top