[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL

Joe Btfsplk joebtfsplk at gmx.com
Tue Apr 8 18:02:01 UTC 2014

On 4/7/2014 6:14 PM, grarpamp wrote:
>> http://heartbleed.com/
>> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
>> cryptographic software library. This weakness allows stealing the
>> information protected, under normal conditions, by the SSL/TLS encryption
>> used to secure the Internet. SSL/TLS provides communication security and
>> privacy over the Internet for applications such as web, email, instant
>> messaging (IM) and some virtual private networks (VPNs).
>> The Heartbleed bug allows anyone on the Internet to read the memory of the
>> systems protected by the vulnerable versions of the OpenSSL software. This
>> compromises the secret keys used to identify the service providers and to
>> encrypt the traffic, the names and passwords of the users and the actual
>> content. This allows attackers to eavesdrop communications, steal data
>> directly from the services and users and to impersonate services and users.
> Patch your stuff.
Comments / suggestions from those w/ in depth knowledge in this area?  
How users should proceed; how to check if sites used (banks, email, 
retail sites, etc.) were / still are affected, so one knows if & when to 
change passwords or other data?

If the number of sites potentially affected is as large as indicated on 
heartbleed.com, changing PW on even 60% of sites I use could take a long 
time - even to do it once.

It would do little good to change a password on a site that hasn't 
patched this.
Or perhaps it would do some good, to change the password before logging 
out of a site?  Then when a site must be accessed again, change the 
password again.

Either way, this might not provide perfect safety, but might ? be better 
than nothing.

More information about the tor-talk mailing list