Posted On:4/09/2014 2:35pm
You can check sites here
Posted On:4/09/2014 2:47pm
(tab) Forum > Forum Actions > General Settings > in Thread Display Options > Number of Posts to Show Per Page: 40
Posted On:4/09/2014 3:07pm
I mean, it's only been broken for 2 years. Why it's a big deal now is only that somebody in the biz figured out that it's broken.
But, yeah, if you're using the same username/password everywhere, you're dumb and deserve to be hacked. Change that behavior right now.
All website admins running OpenSSL should go ahead and pony up for a new signed cert (edit: this means, generate a new private key and CSR), after patching their systems. 1.0.1g is the SSL you should be running - unless you're just really lazy and are still running 0.9.8, which is not vulnerable to THIS attack, but has other issues like renego and beast, I think.
I'm a fan of Qualys' SSLLabs which will tell you many of the things wrong with your SSL config... pop over to https://www.ssllabs.com/ssltest/ to get a check for your site (they didn't have Heartbleed check yesterday, not sure if they do today).
Last edited by submessenger; 4/09/2014 3:14pm at .
insight combined with intel, fuse, and dynamite
Posted On:4/09/2014 3:11pm
Style: (Hung Ga+BJJ+MT+JKD) ^ Qi
Originally Posted by submessenger
This one is Bad, especially when you think about how much private memory you could leak out of an HTTPS server over 2 years, one 64k chunk at a time.
Anybody using this could compile quite an interesting data set from a server using TLS/SSL...not the least of which would be bits of private key...
Some of the better implementations of SSL disabled the "heartbeat" function. Some will avoid this by staying on the legacy 0.9.x versions that aren't susceptible (to this).
Last edited by W. Rabbit; 4/09/2014 3:19pm at .
Posted On:4/09/2014 3:18pm
Yeah, the scary part is that it's not just current conversations, but any historical dumps that may have been grabbed could be decrypted if an attacker went to the trouble of exploiting this and getting a server's private key(s).
Piss is in the pool.
Posted On:4/09/2014 3:19pm
What's funniest is this sort of **** actually impacts my BJJ schedule. God damn.
What a no win situation. Whenever these come up, I think of Airplane.
Posted On:4/09/2014 3:21pm
On a side note, Wireshark is great for this - just point it to a copy of your private key, and BINGO - instant SSL decode. It's even smart enough to handle StartTLS in several circumstances.
Posted On:4/09/2014 3:32pm
The applications for brute forcing SSL here are tremendous.
Knowing 1/x of a private key means you effectively cutting the keyspace down by orders of magnitude, which is a cryptoloGIST's wet dream.
E-commerce? Yahoo accounts??? ROFL
This has (inter) national security ramifications.
Last edited by W. Rabbit; 4/09/2014 3:37pm at .
Posted On:4/09/2014 3:35pm
On a less serious note here is my favorite infosec story of the month thus far.
now back to heartbleed.
Posted On:4/09/2014 3:40pm
The window is 64k - entirely possible, if not probable, that the entire private key can be downloaded in one shot.
Articles and Reviews
Tools and Info