ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Are your websites secure? The heartbleed bug

<< < (3/6) > >>

Carol Haynes:
Bit worrying that PayPal.com comes back as a fail: https://www.ssllabs.com/ssltest/analyze.html?d=www.paypal.com

Inconsistent server configuration!

And Amazon.co.uk and .com come back as B

Even more worrying HSBC bank comes back as B and one of Barclays servers comes back as F !!!!

https://www.ssllabs.com/ssltest/analyze.html?d=barclays.co.uk&hideResults=on

SeraphimLabs:
HSBC is always insecure. More than once now I've shut down phishing operations where someone copied HSBC's exact site layout and patched it onto their own backend. At one point I even managed to catch such an operation alive, and sent it intact to HSBC for analysis so they could fix their stuff.


I can't help but have my tinfoil hats out for this one though. This will be the first time that I have ever heard of Linux having a crippling security flaw that was not also found in Windows. And for it to exist in such a vital library that has been in use for such a long period of time, all I can say is NSA was here.

TaoPhoenix:
I can't help but have my tinfoil hats out for this one though. This will be the first time that I have ever heard of Linux having a crippling security flaw that was not also found in Windows. And for it to exist in such a vital library that has been in use for such a long period of time, all I can say is NSA was here.
-SeraphimLabs (April 10, 2014, 12:07 PM)
--- End quote ---

Checking the Wiki page now...
http://en.wikipedia.org/wiki/Heartbleed_bug
"The vulnerability has existed since December 31, 2011, and the vulnerable code has been in widespread use since the release of OpenSSL version 1.0.1 on March 14, 2012"

So I'm lost, sometimes we joke about the Agency social media programs being rudimentary or whatever, but however this bug got in there, it took two years to find?! I thought there were like 50 geniuses scattered around the world who spend their days proofing out big ticket code. Different from bugs not getting fixed, if it wasn't even found for two years...

Ow. I think I cut myself shaving with Occam's Razor.

TaoPhoenix:
Ooh, right on time.

Slashdot's copy:

http://it.slashdot.org/story/14/04/10/2235225/heartbleed-coder-bug-in-openssl-was-an-honest-mistake

"The Heartbleed bug in OpenSSL wasn't placed there deliberately, according to the coder responsible for the mistake — despite suspicions from many that security services may have been behind it. OpenSSL logs show that German developer Robin Seggelmann introduced the bug into OpenSSL when working on the open-source project two and a half years ago, according to an Australian newspaper. The change was logged on New Year's Eve 2011. 'I was working on improving OpenSSL and submitted numerous bug fixes and added new features,' Seggelmann told the Sydney Morning Herald. 'In one of the new features, unfortunately, I missed validating a variable containing a length.' His work was reviewed, but the reviewer also missed the error, and it was included in the released version of OpenSSL."

Jibz:
http://xkcd.com/1354/

;D

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version