Heartbleed Bug: Chartier Explains How Codenomicon Found The Massive Internet Security Breach

IBTimes.com ^ | April 09 2014 10:16 PM | By Ryan W. Neal

[topher]

The cybersecurity firm that discovered the so-called Heartbleed bug, a gaping hole in the most widely used software privacy and security software on the Internet, said the flaw went undetected for two years because of the large amount of intensive work it takes to manually test encryption software.

[IamConservative]

Intrusion detection picked up the first attack on this exploit early this AM in the network I manage..

[dcwusmc]

Bump for later!

[no-to-illegals]

One additional question rarestia, please. If one does not do anything online other than browse, visit this site of FR and send emails to family from one email site ... from all can gleam that individual is basically safe and may not even need to change their passwords? Is that statement / question an affirmative or am I misreading the information?

[rarestia]

Remember that SSL is used to mask your traffic. Since sites like FR, FoxNews, Drudge, etc. don’t use SSL (http vs https), then you really have little with which to be concerned.

Anywhere that sensitive data is passed, anywhere a password is required, anywhere that personally identifiable information is presented to an entity outside of your circle of trust, you SHOULD be using SSL or your data could be compromised.

So to answer your question, are you safe? Sure, you’re safe insomuch as insecure traffic isn’t affected by this data breach. If, however, you are reading your email on a site that does not use SSL or logging into a site, such as FR, where your login is not protected by SSL, then you’re passing all of your credentials and data to that server in clear text which can be read by anyone. Food for thought.

[no-to-illegals]

Thank You for a logic answer and an answer each of us can take literally as being Food for thought.

[Lake Living]

This site will test any domain to give you some idea of security and whether is is effected by heartbleed or not.

https://www.ssllabs.com/ssltest/

[T. P. Pole]

That is great. I hope everyone who is wondering what this is all about looks at that. It is clear and accurate.

[beef]

One of the arguments made for open source software is that all the extra eyes on the code detect bugs faster. It apparently did not work in this case.

[topher]

I tried this with a couple of banks, and one bank "flunked" and another bank could not be rated.

And these were major banks...

[Lurkina.n.Learnin]

You seem pretty up on this stuff. This thread http://www.freerepublic.com/focus/f-chat/3143545/posts
says you don’t have to be concerned if you have an apple phone or computer. I’m somewhat skeptical. Is this correct? I thought the problem was on the site you are visiting.

[ShadowAce]

The problem is on the site you are visiting.

However, Apple is claiming that its server-side services are not vulnerable--which is great.

They threw in the other products in that announcement--I think--merely as a matter of marketing.

[Lurkina.n.Learnin]

That’s what I thought. It sounds like a false sense of security if people think they are safe because they use a Mac when what you are using isn’t the problem in the first place.