Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
Krebs on Security ^ | 04-08-2014 | Brian Krebs

Posted on 04/08/2014 6:13:21 PM PDT by Drago

Researchers have uncovered an extremely critical vulnerability in recent versions of OpenSSL, a technology that allows millions of Web sites to encrypt communications with visitors. Complicating matters further is the release of a simple exploit that can be used to steal usernames and passwords from vulnerable sites, as well as private keys that sites use to encrypt and decrypt sensitive data.

(Excerpt) Read more at krebsonsecurity.com ...


TOPICS: Business/Economy; Crime/Corruption; Extended News; Technical
KEYWORDS: heartbleed; malware; openssl; pc; security
SSL flaw...Yahoo and many others were exposed...probably a good idea to change your Yahoo password.

List of top sites: https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

Tester: http://filippo.io/Heartbleed/

1 posted on 04/08/2014 6:13:22 PM PDT by Drago
[ Post Reply | Private Reply | View Replies]

To: Drago

I’ve read that OSX get’s a pass on this.


2 posted on 04/08/2014 6:20:28 PM PDT by ImJustAnotherOkie (zerogottago)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ImJustAnotherOkie

What does OSX got to do with this?

This is a server side issue.


3 posted on 04/08/2014 6:24:34 PM PDT by DB
[ Post Reply | Private Reply | To 2 | View Replies]

To: ImJustAnotherOkie

It is on the web server side (not your local PC). Sites you use could be compromised (around 500 million sites?). See: http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html


4 posted on 04/08/2014 6:26:01 PM PDT by Drago
[ Post Reply | Private Reply | To 2 | View Replies]

To: Drago

Someone at an open WiFi ‘hotspot’ could have a field day with this. Of course, anyone with half a brain should know better than do anything sensitive at all in such places. (this probably eliminates 90% of the population)

Virtually all net traffic could be intercepted and human readable.


5 posted on 04/08/2014 6:26:10 PM PDT by KoRn (Department of Homeland Security, Certified - "Right Wing Extremist")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Drago

Make that “half a million” not 500 million...sorry.


6 posted on 04/08/2014 6:27:12 PM PDT by Drago
[ Post Reply | Private Reply | To 4 | View Replies]

To: ImJustAnotherOkie
"I’ve read that OSX get’s a pass on this."

Nope! ....

It isn't necessarily 'server side' either. It could allow someone to 'impersonate' a secure server and intercept data intended to be sent to it.

7 posted on 04/08/2014 6:29:40 PM PDT by KoRn (Department of Homeland Security, Certified - "Right Wing Extremist")
[ Post Reply | Private Reply | To 2 | View Replies]

To: Drago

Holy crap, this is huge. What’s bad is that the certificate private key is exposed. That means someone can steal the certificate and impersonate the site.

This is open source software that is used on servers (primarily but not exclusively servers running Linux).


8 posted on 04/08/2014 6:30:56 PM PDT by Scutter
[ Post Reply | Private Reply | To 1 | View Replies]

To: KoRn; All
"Virtually all net traffic
could be intercepted and human readable."


 photo dadez1.jpg

Help FR Continue the Conservative Fight!
Your Monthly and Quarterly Donations
Help Keep FR In the Battle!

Sponsoring FReepers are contributing
$10 Each time a New Monthly Donor signs up!
Get more bang for your FR buck!
Click Here To Sign Up Now!


9 posted on 04/08/2014 6:31:27 PM PDT by musicman (Until I see the REAL Long Form Vault BC, he's just "PRES__ENT" Obama = Without "ID")
[ Post Reply | Private Reply | To 5 | View Replies]

To: Scutter

Yah. Bad deal. Need to know more.


10 posted on 04/08/2014 6:35:27 PM PDT by Ramius (Personally, I give us one chance in three. More tea anyone?)
[ Post Reply | Private Reply | To 8 | View Replies]

To: ImJustAnotherOkie

“I’ve read that OSX get’s a pass on this.”

I hope that was satire. Perhaps not from a Mac user though... just so you know, the horrific vulnerability exposed a couple of months back in OSX 10 was a client-side exploit unique to Macs that allowed third-parties to view what should have been secure and encrypted communication, and is totally unrelated to this security issue.

Your issue was client-side, this is a different issue server-side. Whatever bandaids Apple may have applied to your Mac has absolutely zero to do with this new exploit, and will do nothing to protect you.

Trying to translate into Mac-User-language, think of it as the difference between someone sitting hopping in your car and looking over your shoulder as you type in your PIN# at the ATM, versus someone being able to electronically harvest any PIN number from any ATM.

The first instance, the client-side Mac exclusive exploit, was simply the fault of Apple and Mac Users. Like manufacturing a car without door locks, buying said car, and not taking any personal security measures to stop someone from hopping into the passenger seat and asking you what’s up.

The second instance is a bit more like ATM manufacturers using a method of encrypting and storing PIN numbers that someone was able to decode, allowing unauthorized persons to view data that should be securely encrypted.

You can’t really do anything client-side to fix this exploit, nor can Apple do anything. It’s up to each individual webpage or service on the net using the outdated versions of OpenSSL to update their servers to a more recent version of OpenSSL, and reset user passwords.


11 posted on 04/08/2014 6:40:14 PM PDT by jameslalor
[ Post Reply | Private Reply | To 2 | View Replies]

To: KoRn

“Virtually all net traffic could be intercepted and human readable.”

Nope, just sites running an outdated version of OpenSSL, of which naturally Yahoo is one. It’s just incumbent on web admins to update their libraries and reset user passwords.


12 posted on 04/08/2014 6:42:44 PM PDT by jameslalor
[ Post Reply | Private Reply | To 5 | View Replies]

To: Drago

http://freerepublic.com/focus/f-chat/3142152/posts


13 posted on 04/08/2014 6:50:18 PM PDT by Utilizer (Bacon A'kbar! - In world today are only peaceful people, and the mooslimbs trying to kill them-)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Drago

There’s already an OpenSSL update to solve that problem. The answer for those using open source operating systems is to update.


14 posted on 04/08/2014 6:51:15 PM PDT by familyop (We Baby Boomers are croaking in an avalanche of corruption smelled around the planet.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: jameslalor; KoRn

The way I understand it, OSX still uses version 9, version 9.6-10.2 has the leak.

If an instance of 9 on the host sync’s up with 9 on OSX where’s the problem.


15 posted on 04/08/2014 7:01:44 PM PDT by ImJustAnotherOkie (zerogottago)
[ Post Reply | Private Reply | To 11 | View Replies]

To: jameslalor

It’s not an “outdated version”. It is what was the current version before this bug was found. I checked both my Linux boxes, and both were running a vulnerable version.

For my Raspberry Pi computer runs a somewhat obscure distro (Raspbian) that doesn’t even have an updated openssl package that does not have the issue. So I’ve had to take that machine off the internet for now (it was hosting my remotely accessible cat treat feeder, which has an HTTPS web site).

And even if the site owner updates openssl, there is no guarantee that the private key for his web site certificate wasn’t stolen in the interval before the software was updated. If an attacker was able to steal the private key, he could potentially impersonate the site and steal user’s passwords and other info.

This is a huge big deal that we will be sorting out for some time.


16 posted on 04/08/2014 7:04:00 PM PDT by Scutter
[ Post Reply | Private Reply | To 12 | View Replies]

To: Drago

Sites can be tested by entering URLs behind the link.

Heartbleed test
http://filippo.io/Heartbleed/


17 posted on 04/08/2014 7:08:33 PM PDT by familyop (We Baby Boomers are croaking in an avalanche of corruption smelled around the planet.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Drago

Interesting related article...

http://techrights.org/2014/04/08/howard-schmidt-codenomicon/


18 posted on 04/08/2014 7:11:36 PM PDT by PieterCasparzen (We have to fix things ourselves)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Drago

The Howard Schmidt guy at his company’s site:

http://www.codenomicon.com/company/board-of-directors.shtml


19 posted on 04/08/2014 7:12:52 PM PDT by PieterCasparzen (We have to fix things ourselves)
[ Post Reply | Private Reply | To 18 | View Replies]

To: Drago; All

The openssl vulnerabilities page:

http://www.openssl.org/news/vulnerabilities.html


20 posted on 04/08/2014 7:33:59 PM PDT by PieterCasparzen (We have to fix things ourselves)
[ Post Reply | Private Reply | To 19 | View Replies]

To: familyop

From your link (THANKS!)

All good, us-mg6.mail.yahoo.com seems not affected!


21 posted on 04/08/2014 7:50:36 PM PDT by SZonian (Throwing our allegiances to political parties in the long run gave away our liberty.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: ImJustAnotherOkie

“The way I understand it, OSX still uses version 9, version 9.6-10.2 has the leak. If an instance of 9 on the host sync’s up with 9 on OSX where’s the problem.”

No. You don’t understand.

Short summary - your data is vulnerable, your Mac is not immune.

This exploit is not a Mac exploit, it’s an OpenSSL exploit. Do you know what those words mean? Mac and OpenSSL? Mac is the obsolete and obscenely overpriced computer that some bright marketers repackaged in order to sell to technophobes - OpenSSL is a piece of software used by some websites to encrypt information.

Why do you mistakenly think your Mac, or your operating system, can protect you from flaws in the software that Yahoo and other websites use to store information or communicate with you?

Let me explain it from your end. When you turn on your computer and open your web browser, you can communicate with other computers in the world. The websites you visit, like Free Republic and Yahoo, are actually files located on the harddrives of other computers.

When you log in to a website in order to purchase something, or log in to an account in order to email someone or post on a discussion board, those other computers that are hosting those sites and services use encryption software in order to communicate private details with your computer.

OpenSSL is one of the types of encryption software used to communicate encrypted information (passwords, credit card numbers, etc.).

However, there’s a problem, one of the types of software used to encrypt user data and communications has a flaw. That flaw is unrelated to the problem Mac users had a few months back, when their Macs basically went around screaming to everyone that was listening “HEY EVERYONE! Look at what this guy is trying to encrypt!”

The fact that a few months back your crappy, obsolete, overpriced idiot-box wasn’t even bothering to properly use encryption for communication of sensitive information is totally and completely unrelated to the fact that one of the pieces of software people can use to encrypt information has a flaw in it.

Your operating system has nothing to do with the software Yahoo and other sites have installed on their own machines.

Nor does a patch to your Mac meant to get it to use encryption properly in the first place do anything whatsoever to fix any flaws encryption method or the software used to communicate encrypted information.

The fact that a few months back anyone in the world could view what a Mac user was doing (because the Mac wasn’t even really bothering to encrypt anything) is totally and completely unrelated to the fact that encryption can be broken. Apple may have come along and gotten your overpriced, obsolete piece of technology-for-the-technically-challenged to finally use encryption, but there’s a flaw in some of the encryption software out there.


22 posted on 04/08/2014 8:39:27 PM PDT by jameslalor
[ Post Reply | Private Reply | To 15 | View Replies]

To: Scutter

Oh don’t get me wrong, this is a significant exploit, but I was responding to the assertion that virtually all net traffic would become readable.

OpenSSL is used by linux-folks like us (I’ve already updated my slackware boxes) and a fraction of webservers - as you said often but not exclusively Linux-based webservers (and automated cat treat machines, sadly). That’s a far cry from all net traffic, though it still remains a significant exploit - especially for the cats.

This will result in a number of costly problems, but most M$ and Mac users out there aren’t going to be seeing it manifest personally, and are just going to be experiencing their web-services updating their software and shuffling around user-logins - most of what they’re going to have to be doing will likely be related to user-prompts and password changes popping up once sites start trying to sort out the mess of potentially compromised private master keys, potentially compromised session cookies, and spoofed site certifications.

On the admin side this is one hell of a hairball to sort out.


23 posted on 04/08/2014 9:01:44 PM PDT by jameslalor
[ Post Reply | Private Reply | To 16 | View Replies]

To: jameslalor

Some people are born as arrogant pricks, they make up for a defective personality by making their opinions sound important.


24 posted on 04/09/2014 3:28:19 AM PDT by ImJustAnotherOkie (zerogottago)
[ Post Reply | Private Reply | To 22 | View Replies]

To: jameslalor
I was responding to the assertion that virtually all net traffic would become readable.
That certainly wasn't an assertion that I made. The point I was making is that the site owner won't necessarily know whether or not his private key was stolen, and end users won't know whether a HTTPS site they are visiting has had it's key stolen. You can patch your software to remove the vulnerability, but the horse has already left the barn.
25 posted on 04/09/2014 10:02:44 PM PDT by Scutter
[ Post Reply | Private Reply | To 23 | View Replies]

To: familyop

Thanks. Looks like my sites at InMotion are vulnerable. Good thing I’m not doing any commerce on them.


26 posted on 04/13/2014 10:20:51 PM PDT by Carry_Okie (Grovelnator Shwarzenkaiser: fasionable fascism one charade at a time.)
[ Post Reply | Private Reply | To 17 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson