[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Joe Btfsplk
joebtfsplk at gmx.com
Tue Apr 8 18:02:01 UTC 2014
On 4/7/2014 6:14 PM, grarpamp wrote:
>> http://heartbleed.com/
>>
>> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
>> cryptographic software library. This weakness allows stealing the
>> information protected, under normal conditions, by the SSL/TLS encryption
>> used to secure the Internet. SSL/TLS provides communication security and
>> privacy over the Internet for applications such as web, email, instant
>> messaging (IM) and some virtual private networks (VPNs).
>>
>> The Heartbleed bug allows anyone on the Internet to read the memory of the
>> systems protected by the vulnerable versions of the OpenSSL software. This
>> compromises the secret keys used to identify the service providers and to
>> encrypt the traffic, the names and passwords of the users and the actual
>> content. This allows attackers to eavesdrop communications, steal data
>> directly from the services and users and to impersonate services and users.
> Patch your stuff.
Comments / suggestions from those w/ in depth knowledge in this area?
How users should proceed; how to check if sites used (banks, email,
retail sites, etc.) were / still are affected, so one knows if & when to
change passwords or other data?
If the number of sites potentially affected is as large as indicated on
heartbleed.com, changing PW on even 60% of sites I use could take a long
time - even to do it once.
It would do little good to change a password on a site that hasn't
patched this.
Or perhaps it would do some good, to change the password before logging
out of a site? Then when a site must be accessed again, change the
password again.
Either way, this might not provide perfect safety, but might ? be better
than nothing.
More information about the tor-talk
mailing list