topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Sunday December 8, 2024, 7:37 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Are your websites secure? The heartbleed bug  (Read 23226 times)

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Are your websites secure? The heartbleed bug
« Reply #25 on: April 14, 2014, 01:34 AM »
Passwords, hmm? I never got motivated enough to get into those password vault programs - I just wanted the world to have at least a little simplicity. So I might just put a 1 onto the end of them all.


Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Are your websites secure? The heartbleed bug
« Reply #26 on: April 14, 2014, 03:37 AM »
This is a fantastic article:

http://falkvinge.net...-nsa-than-to-fix-it/

The NSA has an entire budget devoted to doing just this: “$1.6 billion a year on data processing and exploitation, more than a thousand times the annual budget of the OpenSSL project” reports The Verge. Their prime directive is to find bugs, keep them quiet, and exploit them for their own gain (sorry, “national security”). OpenSSL’s volunteers, on the other hand, need jobs to feed their families. As much as they might want to, they don’t have the time to devote the effort needed to make sure their code is rock-solid. And apparently, neither do its users. It took a Google employee two years to discover Heartbleed, despite the fact that they’re a multi-billion dollar corporation that depends on the integrity of things like OpenSSL. Evidently, though, it’s still not cost-effective to have dedicated teams keeping an eye on the code.

But then he goes full commie and it goes to pot. But still... a good read.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Are your websites secure? The heartbleed bug
« Reply #27 on: April 16, 2014, 07:37 PM »
For reference, here's a page from Sparkfun regarding their response along with informing users of what they ought to do:

  https://www.sparkfun.com/news/1455

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Are your websites secure? The heartbleed bug
« Reply #28 on: May 01, 2014, 10:54 AM »
Just ran across this code level walkthrough of the Heartbleed Bugg

Update:

Below is what we thought as of 12:27pm UTC. To verify our belief we crowd sourced the investigation. It turns out we were wrong. While it takes effort, it is possible to extract private SSL keys. The challenge was solved by Software Engineer Fedor Indutny and Ilkka Mattila at NCSC-FI roughly 9 hours after the challenge was first published. Fedor sent 2.5 million requests over the course of the day and Ilkka sent around 100K requests. Our recommendation based on this finding is that everyone reissue and revoke their private keys. CloudFlare has accelerated this effort on behalf of the customers whose SSL keys we manage. You can read more here.
-The Article

Read the rest here: Answering the Critical Question: Can You Get Private SSL Keys Using Heartbleed?

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Are your websites secure? The heartbleed bug
« Reply #29 on: April 10, 2015, 04:02 AM »
Doesn't sound like good news:

  https://www.venafi.c...-Research-Report.pdf