[tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL
Joe Btfsplk
joebtfsplk at gmx.com
Wed Apr 9 16:57:12 UTC 2014
On 4/8/2014 5:24 PM, Joe Btfsplk wrote:
> On 4/8/2014 4:25 PM, grarpamp wrote:
>>
>> https://blog.torproject.org/ covers what to do for Tor things.
>>
>> For everything else on the net, fix the clients and servers you're
>> responsible for. Then...
>>
>> You're right, there's a big gotcha in all this, users won't really know if
>> the services they interact with have been fixed [1] because huge swaths
>> of services simply don't publish what they do on their pages, they bury
>> it to keep quiet and shiny happy sites. Only some banks, insurers, utilities,
>> schools, etc will post "we're fixed" anywhere remotely prominent. So
>> you have to trust they did [2], which is a reasonable assumption given
>> regulation and liability of big institutional services. You should already have
>> a regular password changing/logout/session management regimen, so
>> inserting some extra instances of that along guesstimates of [2] should
>> suffice with these classes of service.
>> [2] Sometime during the falloff curve starting yesterday afternoon.
>>
>> The real user risk is likely on mid to small services, embedded things, shared
>> platforms, legacy systems, services that didn't get the news, don't have
>> the resources or knowledge to fix, etc. Again, consider some form of
>> reasonable regimen.
>>
>> And there are all sorts of tools and site testing services coming out
>> now for which a brave user might be completely warranted in using to
>> determine [1 above] so they know when to utilize [regimen 2].
>> (Far better to use a testing service or email their help desks seeking
>> a positive statement than risk being potentially considered an exploiter
>> of things you don't own.)
>>
>> Partial list...
>>
>> http://s3.jspenguin.org/ssltest.py
>> https://gist.github.com/takeshixx/10107280
>> https://github.com/FiloSottile/Heartbleed
>> https://www.ssllabs.com/ssltest/index.html
>> (Note, this is a TLS in process bug, so more than HTTP/S services are
>> affected...)
>>
>> This bug will no doubt trigger some thinking, analysis and change in
>> the services,
>> security, infrastructure and user communites... that's a good thing.
> Thanks. Adding one more heartbleed vulnerability site I tried:
> http://rehmann.co/projects/heartbeat/?domain=
>
> It seemed to work (though tough to qualify results). It came back
> showing my bank was *still vulnerable* (not surprising).
> So, made a payment over the phone instead of using their bill pay system
> (this should probably be taken this seriously, but some won't).
>
> I checked a few other major sites at the rehmann link - it showed them
> as OK.
>
> *"So you have to trust they did..."*
>
> When something like this comes along, you shouldn't ASS-U-ME anything,
> or your ass may regret it. :)
> Hard to imagine any reasonably large financial instit. NOT having a
> prominent banner on all main pages,
> "We have (have not) fixed the openSSL issue. Customers can (should not)
> now do online banking." But not a peep.
UPDATE: Users should not assume that by now, their bank / other HTTPS
sites have patched the OpenSSL software.
Use one of the check sites, to see if a domain / server is still
vulnerable to heartbleed bug.
As of late morning, 4/9/14, one of my banks (takes > 1 to hold all my $
:D) still hasn't patched it.
They have no warning on their site about it & apparently aren't
restricting user login to access acct info or online bill pay.
They're not cautioning users to be alert for suspicious activity in
their acct.
More information about the tor-talk
mailing list