Posted on 04/09/2014 3:00:05 PM PDT by kingattax
Wrong side of the cage...
The way it works is simply that a remote user can grab memory from any server running OpenSSL in 64K chunks, as many times as he wants, and piece together anything that was there. Logins, passwords, account numbers, email, you name it. Any time for the past two years.
For the user, a change of password is mandatory for any site that uses SSL, which is practically anything where you'd pass money. Most of the bigger vendors are already patched but only since Monday. There's still that two-year window. This is a huge, gaping security hole.
Changing your password on an unpatched site/server is useless. The new one could be instantly compromised. HERE is a means you can use to test whatever site whose safety you need to verify.
Are the passwords here at risk? Were they previously? Or is this only for secure web sites?
It’s only for secure web sites. Freerepublic runs on port 80, so there’s no listener on port 443, which is the https port.
You are right. Just showin’ a guy’s gotta be careful.
Must be a rural bank. Did you see that the tall drink of water has a serious case of man hands? Bit of a mannish suit too I would say...
lol
The exploit is diabolically simple.
Read about heartbeats in RFC 6520. A heartbeat consists of a type code, a length, some data, and at least 16 bytes of padding. You send this to the server, and it echoes back your data and resets the timeout timer.
Someone saw that in this implementation, no one was comparing the length field to what you actually sent. You could sent a heartbeat with a length field of 10K, but only have 2 characters of data. The server will put your 2 characters in memory, and then you back 10K starting at at the address of your 2 characters. That memory would have been recently released by other processes, and contains who know what.
Since a heartbeat resets your timeout, you could send heartbeats all day and collect enormous amounts of server memory, some of which would be bound to contain something interesting.
Is heartbleed a Microsoft only problem ?
No. It has nothing to do with Windows but with a particular software that handles particular types of net security, OpenSSL. Apparently, Windows is to the good on this one because Microsoft’s version of a web server, IIS, uses different software. However, if someone is running an Apache installation with OpenSSL on a Windows-based machine, the vulnerability could still be there but it wouldn’t have anything to do with Windows itself.
Thanks
Beck just got new Lifelock ad material.
Would https://secure.freerepublic.com/donate/ be an issue?
Just curious.
Thanks, that’s good to know.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.