Heartbleed Bug: Serious Hole in Internet Security

Page 4 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
Lean L said:
So who do you propose support them? Customers separated by three levels?
Click to expand...

Basically paid volunteers can never Bring what professionals who are fairly compensated can and do. They may have the motivation and the chops, but, given they have to pay their bills, they don't have the time.

I am not here to propose beyond that observation in this part. Nor, am I interested in debating what is simple truth.
 
Miramonti

Miramonti

Lifer
Aug 26, 2000
28,653
100
106
I asked my bank if they fixed this bug and this is their response.

We do not use OpenSSL on any of our websites and purchase them from a trusted provider.
Click to expand...

All good?
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
jjsole said:
I asked my bank if they fixed this bug and this is their response.

All good?
Click to expand...

I should call or email mine! I would believe yours cause I would so wanna believe them, and so despise believing they would lie about something this important.

Is yours a small regional bank or one of the Goliath banks? Mine is the latter, sigh.
 
Last edited:
Miramonti

Miramonti

Lifer
Aug 26, 2000
28,653
100
106
Virgorising said:
I should call or email mine! I would believe yours cause I would so wanna believe them, and so despise believing they would lie about something this important.

Is your a small regional bank or one of the Goliath banks? Mine is the latter, sigh.
Click to expand...

It's actually a small credit union. I think they are an awesome cu.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,220
10,669
126
jjsole said:
I asked my bank if they fixed this bug and this is their response.



All good?
Click to expand...

It doesn't completely make sense, but maybe it does depending on how you worded your question. It sounds like they're saying they don't use openssl, and they purchase their certs from a trusted source, but that's not explicitly what they're saying.
 
Miramonti

Miramonti

Lifer
Aug 26, 2000
28,653
100
106
lxskllr said:
It doesn't completely make sense, but maybe it does depending on how you worded your question. It sounds like they're saying they don't use openssl, and they purchase their certs from a trusted source, but that's not explicitly what they're saying.
Click to expand...

I believe I asked specifically if they fixed the heartbleed ssl bug, the recently discovered bug that has undermined ssl security.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Tommy2000GT said:
Is this really that big of a deal? I doubt many hackers will know how to use this exploit.
Click to expand...

It's amazingly easy to exploit and no real way to stop them. You have to assume all your passwords have been compromised along with SSL being no longer secure. It's a very big deal.
 
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
spidey07 said:
It's amazingly easy to exploit and no real way to stop them. You have to assume all your passwords have been compromised along with SSL being no longer secure. It's a very big deal.
Click to expand...

You just have to patch your server, and as far as I've seen the top security experts all think this was unknown before disclosure. I tend to lean toward it ultimately not being that big of a deal.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Markbnj said:
You just have to patch your server, and as far as I've seen the top security experts all think this was unknown before disclosure. I tend to lean toward it ultimately not being that big of a deal.
Click to expand...

Not only do you have to patch, you have to re-issue new certificates. About it being unknown is wishful thinking because again there is no way at all to tell if somebody was doing it.

I can assure you there are very smart hackers that are constantly trying to hack SSL. Getting the private keys to the cert is the gold mine jackpot. If somebody looked at the source code for it I'm sure they could easily reverse engineer it and notice the memory problem. Being open source I would assume the source code is readily available?
 
Last edited:
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
spidey07 said:
It's amazingly easy to exploit and no real way to stop them. You have to assume all your passwords have been compromised along with SSL being no longer secure. It's a very big deal.
Click to expand...

QFT. It's sad so many above that one would think on a tech-based forum are just acting like we are over reacting.

While things like credit cards offer protection, many people's debit cards do not have the same protections (even if Visa/Mastercard labeled). At best, it may be months before your money is returned and if you are lucky a small provisional credit is given back while they research.

At the mall my ex-wife worked at there was a dude scanning cards in at one of the restaurants in the food court. Almost 100 employees of the mall / customers were affected and that was just the one's we knew about. My ex-wife used a real credit card and within 24 hours there was $6000 in gift cards purchased in China and another country. Other girls had the same thing happen but with their debit cards it was much much less money, but that was all the cash they had. Girls messed their rent, car payments, etc. Racked up tons of overdraft fees their banks would not refund. Many of them went hungry.

Now these girls probably all had 'Totally-Free' type checking accounts, my debit card has equal protection to a real credit card, but I have a large enough balance to not be fee'd to have my money parked in a bank.

This hack is even worse than that the exposure you can be under.

Even VPN clients and other programs are affected by these. Now it's going to be rare as a client that your server is hacking you, but if a savvy hacker got sometime on a major server and installed some of his own processes, it could be bad.
 
Imp

Imp

Lifer
Feb 8, 2000
18,828
184
106
Virgorising said:
Exactly. Meh. Plus, scrolling thru what sites are vulnerable .....I wanna believe I might not even have to.

I said "wanna believe."
Click to expand...

In the back of my mind, I'm blaming the stores/banks and assuming that I wouldn't be liable for their f*ck ups... Fingers crossed.

I've probably used a few Open SSL sites at smaller stores or even bigger stores. Password changes in a week to important stuff like email and banks hoping everyone's patched, f*ck the rest and hoping for the best.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
Markbnj said:
You just have to patch your server, and as far as I've seen the top security experts all think this was unknown before disclosure. I tend to lean toward it ultimately not being that big of a deal.
Click to expand...

Some of these things have been know for a bit prior to announcement. Sadly, rather than get the word out on these things right away most have to have a pow-wow with corporate legal and even insurance/actuaries to figure out what it's going to cost them.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,671
13,835
126
www.anyf.ca
spidey07 said:
I've long believed that the US government has the private keys to the big public root cert authorities or some other back door to PKI. Many foreign governments won't even allow import of certain encryption technology. Is it because they don't want it used in their country, or because they don't have a decryption method? I would think both.
Click to expand...

Would not surprise me at all, and if this is the case, self signed certs are probably actually more secure, despite the pesky warning they cause.

With CA certs you have to actually trust the CA. How many megacorporations these days can actually be trusted?
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,671
13,835
126
www.anyf.ca
Browsers should actually issue patches that look at the list of affected sites, and looks at the cert dates, and pops a warning that it's not secure.

If all major browser makers do this, it will force these sites to fix the issue fast because they'll be getting tons of calls that they're getting an error.

Basically the browser looks at an online list of a known affected site and when it was patched, if that info is available. Then it looks at the site's cert to see if it's been updated after the patch date.

Not 100% fool proof and it has to trust that the data is real (ex: if the company said they patched, trust that they really did).

I have a feeling this bug will get forgotten in a few weeks from now after enough stabbings and shootings have happened to take over the news, and lot of companies wont bother to patch or reissue certs or do whatever they need to do to fix it.

Not that we could trust anything before knowing what the NSA does, but right now, even more so, we really can't trust that what we're doing online is actually encrypted, since we don't know what these sites have done, if they redid their certs etc...

Online banking is probably the biggest one. NSA will just pass all your banking info (transactions etc) to the IRS and they'll have a field day with that.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
Imp said:
In the back of my mind, I'm blaming the stores/banks and assuming that I wouldn't be liable for their f*ck ups... Fingers crossed.

I've probably used a few Open SSL sites at smaller stores or even bigger stores. Password changes in a week to important stuff like email and banks hoping everyone's patched, f*ck the rest and hoping for the best.
Click to expand...

It's not even really their fuckups anymore than one of us not knowing either.

Ultimately, it's deeper than the websites using the hardware/software.

I am sure there are already class-actions forming looking to get someone to pay.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
Red Squirrel said:
Browsers should actually issue patches that look at the list of affected sites, and looks at the cert dates, and pops a warning that it's not secure.

If all major browser makers do this, it will force these sites to fix the issue fast because they'll be getting tons of calls that they're getting an error.

Basically the browser looks at an online list of a known affected site and when it was patched, if that info is available. Then it looks at the site's cert to see if it's been updated after the patch date.

Not 100% fool proof and it has to trust that the data is real (ex: if the company said they patched, trust that they really did).

I have a feeling this bug will get forgotten in a few weeks from now after enough stabbings and shootings have happened to take over the news, and lot of companies wont bother to patch or reissue certs or do whatever they need to do to fix it.

Not that we could trust anything before knowing what the NSA does, but right now, even more so, we really can't trust that what we're doing online is actually encrypted, since we don't know what these sites have done, if they redid their certs etc...

Online banking is probably the biggest one. NSA will just pass all your banking info (transactions etc) to the IRS and they'll have a field day with that.
Click to expand...

This would not work simply that the browser companies (and most are not making money from the user) would get those same calls too.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom