Go Back   IceInSpace > General Astronomy > General Chat

Reply
 
Thread Tools Rate Thread
  #1  
Old 10-04-2014, 08:03 AM
Starless's Avatar
Starless (Brian)
Registered User

Starless is offline
 
Join Date: Mar 2008
Location: Adelaide
Posts: 160
Angry Yet another MAJOR internet security flaw

This is of some concern as it is not something the individual user can do anything about.

http://www.abc.net.au/news/2014-04-1...penssl/5379604
Reply With Quote
  #2  
Old 10-04-2014, 08:13 AM
mithrandir's Avatar
mithrandir (Andrew)
Registered User

mithrandir is offline
 
Join Date: Jan 2009
Location: Glenhaven
Posts: 4,161
Quote:
Originally Posted by Starless View Post
This is of some concern as it is not something the individual user can do anything about.
True you can't do anything about other people's sites, but at least you might be able to secure your own. I don't use a vulnerable version of openssl.
Reply With Quote
  #3  
Old 10-04-2014, 10:41 AM
michaellxv's Avatar
michaellxv (Michael)
Registered User

michaellxv is offline
 
Join Date: Oct 2009
Location: Adelaide, Australia
Posts: 1,581
Be carefull

Just got my first email since this bug went public from a site requesting me to verify my details etc.
Problem is that it is rather well constructed but does not look entirely legit. Be warned yet agin, don't click on the email links and type a known address into your browser or use your saved links.
Reply With Quote
  #4  
Old 10-04-2014, 12:27 PM
AstralTraveller's Avatar
AstralTraveller (David)
Registered User

AstralTraveller is offline
 
Join Date: Mar 2008
Location: Wollongong
Posts: 3,766
I don't know why anyone is surprised. After all, it is Open SSL.

So, what sort of passwords should I reset? Paypal? Ebay? Gmail?
Reply With Quote
  #5  
Old 10-04-2014, 12:51 PM
Astro_Bot's Avatar
Astro_Bot
Registered User

Astro_Bot is offline
 
Join Date: Jun 2012
Location: Brisbane
Posts: 1,605
Quote:
Originally Posted by AstralTraveller View Post
So, what sort of passwords should I reset? Paypal? Ebay? Gmail?
No, they were fine. Yahoo was mentioned, but I'm not sure of that myself. Some sites have been reported as fixed already (it's just a patch to OpenSSL that's needed).

I tested about 25 HTTPS sites yesterday for the vulnerability - these are sites I use that have a "secure" logon or such - and only one was vulnerable, and it was a small, obscure shopping site.
Reply With Quote
  #6  
Old 10-04-2014, 01:03 PM
RickS's Avatar
RickS (Rick)
PI cult recruiter

RickS is offline
 
Join Date: Apr 2010
Location: Brisbane
Posts: 10,584
Quote:
Originally Posted by Astro_Bot View Post
Some sites have been reported as fixed already (it's just a patch to OpenSSL that's needed).
Also revocation and replacement of each sites X.509 certificate in case the private key was compromised during the approximately two years that this vulnerability has been around.
Reply With Quote
  #7  
Old 10-04-2014, 01:08 PM
The_bluester's Avatar
The_bluester (Paul)
Registered User

The_bluester is offline
 
Join Date: Feb 2011
Location: Kilmore, Australia
Posts: 3,342
Actually a list I saw yesterday had Gmail (All of the Google stuff actually) as a "Possibly" We can only wait and see if they report as having had to fix themselves I suppose.
Reply With Quote
  #8  
Old 10-04-2014, 01:40 PM
Astro_Bot's Avatar
Astro_Bot
Registered User

Astro_Bot is offline
 
Join Date: Jun 2012
Location: Brisbane
Posts: 1,605
I saw a blog post that Google/Gmail was affected, but I tested them yesterday - all good. They must have been quick.

@RickS: Technically, that's only if the site was compromised - that's what was thinking, even if it didn't come across that way (I haven't had my coffee yet) - but as there's no way to know for sure, then it's wise to do certificates, keys and passwords (including user passwords on those sites).

This sounds like it's as big as the DNS spoofing bug of 2008.
Reply With Quote
  #9  
Old 10-04-2014, 02:04 PM
Astro_Bot's Avatar
Astro_Bot
Registered User

Astro_Bot is offline
 
Join Date: Jun 2012
Location: Brisbane
Posts: 1,605
Ah, finally, a list of affected sites, which was posted only 4 hours ago.

There will be other sites affected (there are, after all, millions of websites around the world). As mentioned, I found one small shopping site I use was affected, so I sent them an e-mail.
Reply With Quote
  #10  
Old 10-04-2014, 02:14 PM
Steffen's Avatar
Steffen
Ebotec Alpeht Sicamb

Steffen is offline
 
Join Date: Feb 2010
Location: Toongabbie, NSW
Posts: 1,965
A lot of sites have been patched in the last 24 hours, however, the vulnerability has been around for over two years. There is no way of knowing who's been exploiting it and for what purpose.

Cheers
Steffen.
Reply With Quote
  #11  
Old 10-04-2014, 03:30 PM
Astro_Bot's Avatar
Astro_Bot
Registered User

Astro_Bot is offline
 
Join Date: Jun 2012
Location: Brisbane
Posts: 1,605
More useful information slowly coming in - this article published within the last hour: How to avoid 'Heartbleed' heartache

Particularly this bit - the top 1000 sites and their test results: Heartbleed mass test - top 1000
Reply With Quote
Reply

Bookmarks

Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time is now 09:43 AM.

Powered by vBulletin Version 3.8.7 | Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Advertisement
Testar
Advertisement
Bintel
Advertisement