Heartbleed openssl bug (private keys at risk) - GoFuckYourself.com

adultmobile · 04-08-2014, 06:47 PM

Heartbleed openssl bug (private keys at risk)

http://heartbleed.com/
http://arstechnica.com/security/2014...eavesdropping/
http://threatpost.com/seriousness-of...sets-in/105309

OpenSSL is default for apache and nginc, 66% of web sites.

"A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL."

"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption."

Test your server:

http://filippo.io/Heartbleed/

Seth Manson · 04-08-2014, 08:24 PM

fucking god dammit

ErectMedia · 04-08-2014, 08:29 PM

patched this/rebooted a few hours ago

seeandsee · 04-09-2014, 03:09 AM

jesus what a bug, how the fuck they just found it now

Barry-xlovecam · 04-09-2014, 05:02 AM

Problem is, you cannot fix the past problem of a few years by patching.

Change your critical passwords (banking especially, financial services, (internet wallets?)).

If you think about places where your credit card numbers are shown in plain text (including PDF downloads -- credit card statements, etc.) that are password protected -- we may, MAY, be in for a shit storm.

Whatever damage has been done has already been done -- mitigate your future exposure ...

polipie · 04-09-2014, 05:34 AM

Webmasters can test their site here: filippo.io

rowan · 04-09-2014, 08:45 AM

Quote:

Originally Posted by adultmobile

Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption."

The NSA must be falling all over themselves to try to find as many vulnerable servers as possible so they can finally decipher that mystery encrypted data they've been capturing all this time.

... assuming they only found out about it 2 days ago, like the rest of us, rather than 2 years ago when the bug first appeared in the source code...

adultmobile · 04-09-2014, 07:58 PM

Quote:

Originally Posted by rowan

The NSA must be falling all over themselves to try to find as many vulnerable servers as possible so they can finally decipher that mystery encrypted data they've been capturing all this time.

... assuming they only found out about it 2 days ago, like the rest of us, rather than 2 years ago when the bug first appeared in the source code...

It could well be that NSA knew the exploit since a year and it is upset that it was found and patched.

noshit · 04-09-2014, 08:26 PM

Quote:

Originally Posted by seeandsee

jesus what a bug, how the fuck they just found it now

That's easy... company that found the bug has connections to Google, Obama, DHS, and FBI. Funny how a company with those ties found a bug that seems to beg for government intervention

anexsia · 04-09-2014, 09:01 PM

already updated my servers

04-08-2014, 06:47 PM	#1
adultmobile No, I am not banned Industry Role: Join Date: Nov 2003 Location: ChatGF.com Posts: 5,345	Heartbleed openssl bug (private keys at risk) Heartbleed openssl bug (private keys at risk) http://heartbleed.com/ http://arstechnica.com/security/2014...eavesdropping/ http://threatpost.com/seriousness-of...sets-in/105309 OpenSSL is default for apache and nginc, 66% of web sites. "A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL." "Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption." Test your server: http://filippo.io/Heartbleed/ __________________ TubeCamGirl.com Last edited by adultmobile; 04-08-2014 at 06:52 PM..

04-08-2014, 08:29 PM	#3
ErectMedia Confirmed Chicago Pimp Industry Role: Join Date: Aug 2004 Location: Chicago Posts: 7,100	patched this/rebooted a few hours ago __________________ Domain Name Registration Web3 Domains

04-09-2014, 03:09 AM	#4
seeandsee Check SIG! Industry Role: Join Date: Mar 2006 Location: Europe (Skype: gojkoas) Posts: 50,945	jesus what a bug, how the fuck they just found it now __________________ BUY MY SIG - 50$/Year Contact here

04-09-2014, 05:02 AM	#5
Barry-xlovecam It's 42 Industry Role: Join Date: Jun 2010 Location: Global Posts: 18,083	Problem is, you cannot fix the past problem of a few years by patching. Change your critical passwords (banking especially, financial services, (internet wallets?)). If you think about places where your credit card numbers are shown in plain text (including PDF downloads -- credit card statements, etc.) that are password protected -- we may, MAY, be in for a shit storm. Whatever damage has been done has already been done -- mitigate your future exposure ...

04-09-2014, 05:34 AM	#6
polipie Confirmed User Industry Role: Join Date: Jun 2012 Location: Belgium Posts: 81	Webmasters can test their site here: filippo.io __________________ TrafficMansion.com

04-08-2014, 08:24 PM	#2
Seth Manson Please dont fuck animals Industry Role: Join Date: Jul 2010 Location: Henderson, NV Posts: 3,988	fucking god dammit

04-09-2014, 09:01 PM	#10
anexsia Confirmed User Industry Role: Join Date: May 2010 Posts: 5,735	already updated my servers