Main Area and Open Discussion > Living Room
Are your websites secure? The heartbleed bug
Stoic Joker:
I'm a bit torn by that techdirt article.
I'm a huge fan of techdirt, but I've also written glowingly of StartCom.-mouser (April 10, 2014, 05:42 AM)
--- End quote ---
You sold me on StartCom back them, and I still use/like them (thanks for the tip!).
Using StartCom is a decidedly unpleasant experience -- the website is a throwback to the worst days of the web, and the entire process is frustrating and confusing.-mouser (April 10, 2014, 05:42 AM)
--- End quote ---
I do make a point of not being in a hurry when dealing with their site for this exact reason, the site flows about as smoothly as a cement mixer.
Nevertheless, the price and service are remarkable compared to the alternatives I've found. The ssl certificate industry as a whole feels like it's designed to leach money out of you like a vampire -- and like a club where only the rich can afford to be secure.-mouser (April 10, 2014, 05:42 AM)
--- End quote ---
I've never been a real fan of SSL (or encryption in general for that matter). It has always struck me as a magic bullet sales gimmick that encourages bad habits.
StartCom always struck me as a little independent outfit run by one guy who was doing much of it on his own with a small margin. If so, i think it's unfair to attack them as being corporate bigwigs profiting off the backs of tragedy -- and instead view it as a situation where they may simply not have the profit margin to provide so much help for free.
I really don't see a fundamental problem with charging people a "reasonable" amount to handle certificate revocation. Just my 2 cents.
When these big giant corporations are ripping people off hand over fist and rolling in money, they can afford to be generous in situations like this and benefit from the public relations coup. But if you turn to a small independent low-profit-margin ssl certificate service, i think it's unreasonable to expect them to be able to eat such costs.
-mouser (April 10, 2014, 05:42 AM)
--- End quote ---
From what I saw on a quick skim, they only want 25$ for the revoke/reissue flip ... I really don't have a problem with them covering their costs for a spike in workload. Sure superficially it sounds like an easy task...but it still takes time. And the people who's time it takes don't come cheap.
Deozaan:
LastPass will check your passwords to see if they're potentially affected by the HeartBleed vulnerability.
Yesterday we informed our community of the Heartbleed OpenSSL bug. In our blog post, we explained how this security issue impacted our service and what our users should know about the situation. We also built a tool to help our users start checking to see if their sites and services had reissued their certificates, so that users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed
To help our users take action and protect themselves in the wake of Heartbleed, we've added a feature to our Security Check tool. LastPass users can now run the LastPass Security Check to automatically see if any of their stored sites and services were 1) Affected by Heartbleed, and 2) Should update their passwords for those accounts at this time.
The LastPass Security Check can be run from the LastPass Icon menu. Click the LastPass icon in the browser toolbar, click the Tools menu, and select the Security Check.
In the Security Check results, we alert you to sites affected by Heartbleed:
-http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html
--- End quote ---
SeraphimLabs:
http://www.usatoday.com/story/tech/2014/04/11/heartbleed-cisco-juniper/7589759/
Reports coming in from unconfirmed sources that the NSA has been utilizing Heartbleed for years.
Of course, I have to say I totally saw this coming. This is the kind of massive security breach that would explain their uncanny ability to get into any system anywhere at any time. A simple exercise in spreading disinformation to seed people's trust in the affected library and cover up the flaw would allow them to preserve it for so many years unnoticed.
Which means that all those people concealing their activities using SSH, Tor, and proxies? Yeah. The NSA was way ahead of them.
Deozaan:
Reports coming in from unconfirmed sources that the NSA has been utilizing Heartbleed for years.
Of course, I have to say I totally saw this coming. This is the kind of massive security breach that would explain their uncanny ability to get into any system anywhere at any time. A simple exercise in spreading disinformation to seed people's trust in the affected library and cover up the flaw would allow them to preserve it for so many years unnoticed.
Which means that all those people concealing their activities using SSH, Tor, and proxies? Yeah. The NSA was way ahead of them.-SeraphimLabs (April 11, 2014, 03:21 PM)
--- End quote ---
And if they allowed this vulnerability to be revealed now, what even better trick do they have up their sleeves? :o
:P ;)
app103:
It's not just websites that are vulnerable.
OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.
Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software. However, this is unlikely to be a priority. “The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”
Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them,” he says.
The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated. Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices, ranging from IT equipment to traffic control systems, that are improperly configured or have not been updated to patch known flaws (see “What Happened When One Man Pinged the Whole Internet”).
“Unlike servers being patched by armies of corporate IT staff, these Internet-enabled devices with vulnerable OpenSSL parts aren’t going to be getting the attention they may need,” says Jonathan Sander, strategy and research officer for STEALTHbits Technologies, which helps companies manage and track data access and leaks. “OpenSSL is like a faulty engine part that’s been used in every make and model of car, golf cart, and scooter.”
--- End quote ---
http://www.technologyreview.com/news/526451/many-devices-will-never-be-patched-to-fix-heartbleed-bug/
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version