GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Heartbleed openssl bug (private keys at risk) (https://gfy.com/showthread.php?t=1137924)

adultmobile 04-08-2014 06:47 PM
Heartbleed openssl bug (private keys at risk)
 
Heartbleed openssl bug (private keys at risk)

http://heartbleed.com/
http://arstechnica.com/security/2014...eavesdropping/
http://threatpost.com/seriousness-of...sets-in/105309

OpenSSL is default for apache and nginc, 66% of web sites.

"A missing bounds check allows an attacker to read up to 64 KB of memory on a machine protected by OpenSSL."

"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption."

Test your server:

http://filippo.io/Heartbleed/

Seth Manson 04-08-2014 08:24 PM
fucking god dammit :mad:

ErectMedia 04-08-2014 08:29 PM
patched this/rebooted a few hours ago :thumbsup

seeandsee 04-09-2014 03:09 AM
jesus what a bug, how the fuck they just found it now

Barry-xlovecam 04-09-2014 05:02 AM
Problem is, you cannot fix the past problem of a few years by patching.

Change your critical passwords (banking especially, financial services, (internet wallets?)).

If you think about places where your credit card numbers are shown in plain text (including PDF downloads -- credit card statements, etc.) that are password protected -- we may, MAY, be in for a shit storm.

Whatever damage has been done has already been done -- mitigate your future exposure ...

polipie 04-09-2014 05:34 AM
Webmasters can test their site here: filippo.io

rowan 04-09-2014 08:45 AM
Quote:
Originally Posted by adultmobile (Post 20042855)
Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption."
The NSA must be falling all over themselves to try to find as many vulnerable servers as possible so they can finally decipher that mystery encrypted data they've been capturing all this time.

... assuming they only found out about it 2 days ago, like the rest of us, rather than 2 years ago when the bug first appeared in the source code...

adultmobile 04-09-2014 07:58 PM
Quote:
Originally Posted by rowan (Post 20043448)
The NSA must be falling all over themselves to try to find as many vulnerable servers as possible so they can finally decipher that mystery encrypted data they've been capturing all this time.

... assuming they only found out about it 2 days ago, like the rest of us, rather than 2 years ago when the bug first appeared in the source code...
It could well be that NSA knew the exploit since a year and it is upset that it was found and patched.

noshit 04-09-2014 08:26 PM
Quote:
Originally Posted by seeandsee (Post 20043105)
jesus what a bug, how the fuck they just found it now
That's easy... company that found the bug has connections to Google, Obama, DHS, and FBI. Funny how a company with those ties found a bug that seems to beg for government intervention

anexsia 04-09-2014 09:01 PM
already updated my servers


All times are GMT -7. The time now is 08:31 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123