http://www.bbc.co.uk/news/technology-26954540

Oh dear...

...hang fire...

http://www.theguardian.com/technology/2 ... perts-warn

If Joe Average wasn't confused before...

It's a crock. The vast majority of passwords DON'T MATTER. They serve an identification rather than authentication function. Why the blazes should I care if the government knows what my instagram password is? What would they use it for? Changing the tags on my holiday snaps? Change the passwords to things which are actually important (banks, email accounts maybe) just in case if you're feeling paranoid.

But changing every single password on every single web service you use? Regardless of it's value or not as a target? Its more a waste of your own time than anything else. Because the basic fundamental point is nobody cares about the vast majority of the data you generate other than you.

Stop listening to the paranoid knob heads in the 'web security industry' and start thinking rationally for a second.

Until the old certificates have been revoked and the server has been fixed, there is no point changing the password. At the moment, although one o two passwords might have been captured, the flaw only lets out a 64KB block of data, so maybe hundreds of usernames and passwords, not millions will be leaked, but the SSL key will be leaked, which means the attacker can impersonate the affected site after the attack, using a man-in-the-middle attack or a DNS redirect attack (like Turkey before the elections) or DNS poisoning attacks.

Also, if the server is running Microsoft IIS webserver and not Apache, then it will be unaffected.

The Guardian article is also a little disingenuous, they talk about Yahoo! but they don't mention bigger sites that are affected, like Twitter, Facebook and Instagram.

Got en email from IFTT today telling me that I’ve been logged out of my account on my iPhone app, and to reset it next time I log in.

I really don”t want to go through every single password I have and change it. I’ll lose a weekend to that thankless task.

Yeah, Pinterest emailed me (only signed up for details about a watch that showed in an image search ffs, who actually uses that service? ).

ION... Heartbleed programmer: Sorry, my bad

http://www.techradar.com/news/internet/ ... d--1241710

That 'mistakes missed at multiple levels' thing is partly why I have little faith in climate calculations.

Hmm....


I wonder about open source software at times. People like to point out the fact that it’s peer reviewed, checked, and that bugs are traceable to individuals. I have this image in my mind (which I know is erroneous) of keen amateurs poking around with code because they can, not because they are paid to do so, but somehow this is “OK”.

While the 'motivated amateur' might be true of the smaller stuff, it's not true of OpenSSL or it's ilk. Stuff like that - crypto, basically - is mostly done by scientists and serious engineers. This is genuinely tricky stuff; I know people much smarter than me who really struggle to get a handle on the maths of crypto, let alone be able to review the code which relies on that maths. You can't just pick this stuff up, you have to have the right mind for it in the first place and then you pretty much have to do it full time to keep up.

I agree in one sense though - there's a dogmatic principle in some open source circles that peer review and open access to source by definition means the code produced is more efficient, reliable, secure etc etc etc. This rather blows that out of the water. If an open source product which is this ubiquitous and this important can have this bug in it for years, the whole rationale that 'open is better' has to be subject to question.

Also available in networking devices
Tasty.

Mark

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

http://www.bloomberg.com/news/2014-04-1 ... umers.html

Yet another potential instance of, 'Who cares about the plebs? The 'game' continues!'. Morons.


This is supposed to be a continually updated list of what sites are vulnerable or not.

https://github.com/musalbas/heartbleed- ... 300UTC.txt

1password is having a 50% off sale at the moment in light of this.

It would also appear that people need to update security certificates as well as OpenSSL as it's been possible to obtain private SSL keys using the flaw:

http://www.theverge.com/us-world/2014/4 ... urity-keys

That was the main point of the OpenSSL bug, it leaked the private keys, so every site needs to get a new certificate. The key was leaked nearly every time the exploit was used, usernames and passwords were hit or miss, whether they would be in the 64KB of memory at all.

That is also why you should turn on revoked certificate checking, stupid though that Mozilla seem to have removed the checking a couple of versions ago!

There does seem to be discussion as to how easy it is to grab private keys using heartbleed and it's a topic under active investigation.

See the article here, which was contradicted within 4 hours of being published! IT's quite a good explanation of how heart bleed works, into the bargain.