Heartbleed Question

[larryinnewyork]

I received an e-mail from Norton (internet security) about Heartbleed.

It included a link where you type in any web-site and you can see if that web-site could be affected by heartbleed.

I typed in BobIsTheOilGuy and I see a message that says - Possibly. Can't tell.

Question: Have the Moderators on BobIsTheOilGuy ever say if this web-site has been affected or given a clean bill of health ? ? ?

I have 4 web-sites that were questionable.
1) Credit Card Co.
2) Tax.NY
3) Utility "Gas" Co.
4) BobIsTheOilGuy

 

[OVERKILL]

This forum doesn't use HTTPS, so there's nothing being encrypted by SSL going on between here and your PC.

 

[uc50ic4more]

Originally Posted By: OVERKILL
This forum doesn't use HTTPS, so there's nothing being encrypted by SSL going on between here and your PC.


An unencrypted connection, from my perspective, is much, much worse than Heartbleed. Everyone is flipping out like the sky is falling because an OpenSSL vulnerability gave a malicious party the ability to get random data from a server's RAM; while an unencrypted connection like this one seems to expose your login credentials to anyone who'd like to take a peek!

 

[OVERKILL]

Originally Posted By: uc50ic4more
Originally Posted By: OVERKILL
This forum doesn't use HTTPS, so there's nothing being encrypted by SSL going on between here and your PC.


An unencrypted connection, from my perspective, is much, much worse than Heartbleed. Everyone is flipping out like the sky is falling because an OpenSSL vulnerability gave a malicious party the ability to get random data from a server's RAM; while an unencrypted connection like this one seems to expose your login credentials to anyone who'd like to take a peek!


Pretty much. People freaking out about SSL should take a look at what information they put on the Internet through connections that are not encrypted

 

[Garak]

Exactly, including their own email. Heartbleed was just a nice media panic. By the way, Overkill, did you happen to catch the Canada Revenue Agency's overreaction? Not only did they shut down the "My Account" thing for businesses and individuals, which does make sense, they also shut down their online calculators and the like, which don't use logins whatsoever.

Well, Canadian federal government computer techs have always been more comfortable with equipment running on vacuum tubes, so what can I say?

 

[simple_gifts]

It appears Theo De Raadt is choosing to fork the OpenSSL code base and brand it LibreSSL, doing a little of housecleaning in the process.

http://arstechnica.com/information-techn...-libressl-fork/

Quote:

When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."

De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

 

[armos]

Originally Posted By: uc50ic4more
Originally Posted By: OVERKILL
This forum doesn't use HTTPS, so there's nothing being encrypted by SSL going on between here and your PC.

An unencrypted connection, from my perspective, is much, much worse than Heartbleed. Everyone is flipping out like the sky is falling because an OpenSSL vulnerability gave a malicious party the ability to get random data from a server's RAM; while an unencrypted connection like this one seems to expose your login credentials to anyone who'd like to take a peek!


Heartbleed is a big deal if you presume a worst case, and that SSL was being used for a reason. But in the case of a discussion forum, like this one, I don't really worry about it being an open connection. If somebody steals my login credentials on a few discussion forums, I'd be annoyed but I'd shrug it off.
This is a good reason however that people shouldn't use the same passwords for casual forums as they use on more sensitive web sites.

Amazon and my DNS provider were the quickest to publicly respond. My bank reported that they don't use OpenSSL. The credit card companies were pretty muted about it though.
The DNS provider posted a good article explaining the issue in detail, and what to look for in gauging the response of other sites. As such I think they had the best response of anybody I deal with.
I could only sigh at the smoke from obamacare, which told people to change their passwords while at the same time stating that no data had been compromised. The fact is that the nature of the exploit means they have no way of knowing if data was compromised or not. That's exactly the reason it's necessary for affected sites to change certificates and passwords. Declaring that nothing was exposed is a factually unsupportable statement.

 

[LazyPrizm]

Originally Posted By: simple_gifts
It appears Theo De Raadt is choosing to fork the OpenSSL code base and brand it LibreSSL, doing a little of housecleaning in the process.

TdR's always been an interesting guy. Like RMS, very much a "my way or the highway" sort of attitude. Props to them for sticking to their guns, and it certainly benefits the community more (OpenSSH for instance) than it harms (all the drama around 'pf' and OpenNTPD). Good on them for taking on the code cleanup for OpenSSL.

As a side note, GnuTLS wasn't affected by Heartbleed