ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Are your websites secure? The heartbleed bug

(1/6) > >>

lanux128:
as it is already known, the heartbleed bug is a vulnerability in the OpenSSL library which seems to compromise the traffic flow at secure sites. the web admins everywhere are rushing to patch their servers with the latest bug-fix.

to check if your site's exposure level, you can go here to test. to learn more about the bug itself, click on the image below.




• http://heartbleed.com/

mouser:
DC updated and tested as secure.

Thanks very much for that test page btw -- I looked for one unsuccessfully.

ewemoa:
Thanks lanux128.

The following is from the last link:

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

--- End quote ---

mouser:
A dc member also sent me this useful test page:
https://www.ssllabs.com/ssltest/analyze.html

Stoic Joker:
Thanks guys!

Our 3rd party external network PCI compliance scan (last week) came back fine ...(even though the above tests said we suck)... So these tests are apparently checking much more thoroughly/deeper.

I'm currently trying to get my score above an A-.

Navigation

[0] Message Index

[#] Next page

Go to full version