Hella scary OpenSSL Vulnerability

Backblaze: Cloud backup plans | New Zealand Broadband plans and prices | AliExpress | MightyApe | Amazon (affiliate link)

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › IT Pro and developers › Hella scary OpenSSL Vulnerability

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

# 143260 8-Apr-2014 14:09

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Think about this - silent theft of private keys. The implications on being able to trust SSL certs are huge even after this vuln is patched.

Links: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

http://threatpost.com/openssl-fixes-tls-vulnerability/105300

http://www.openssl.org/news/vulnerabilities.html#2014-0160

muppet

2181 posts

Uber Geek

Trusted

# 1020653 8-Apr-2014 14:24

2 people support this post

Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

Lias

3945 posts

Uber Geek

Trusted

Lifetime subscriber

# 1020664 8-Apr-2014 14:31

3 people support this post

If you assume that at least one malicious state actor (Russia, USA, China) has has access to this for some time, it becomes utterly terrifying.

Information wants to be free. The Net interprets censorship as damage and routes around it.

hio77

'That VDSL Cat'
11510 posts

Uber Geek

Trusted

Spark

Subscriber

# 1020710 8-Apr-2014 14:58

not the best news... yay for spending the day updating and checking machines!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

Noodles

478 posts

Ultimate Geek

# 1020742 8-Apr-2014 15:54

2 people support this post

Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

ubergeeknz

3344 posts

Uber Geek

Trusted

Vocus

# 1020747 8-Apr-2014 15:59

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

Seems to be slammed though

hio77

'That VDSL Cat'
11510 posts

Uber Geek

Trusted

Spark

Subscriber

# 1020751 8-Apr-2014 16:06

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/

handy tool, as assumed, all clear on my machines!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

wasabi2k

2092 posts

Uber Geek

# 1020755 8-Apr-2014 16:16

Only affects OpenSSL 1.01 -> 1.01f

Anyone running Netscalers - they are running 0.9.7b.

rphenix

897 posts

Ultimate Geek

Subscriber

# 1020792 8-Apr-2014 17:13

muppet: Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

+1 to that. Spent most of this afternoon updating systems.

Lias

3945 posts

Uber Geek

Trusted

Lifetime subscriber

# 1021040 9-Apr-2014 09:49

2 people support this post

Ouch.. Just checked the websites of the various financial institutes I have accounts with.. 2 out of 6 are vulnerable.

Information wants to be free. The Net interprets censorship as damage and routes around it.

lchiu7

5212 posts

Uber Geek

Trusted

# 1021186 9-Apr-2014 13:33

I'm guessing if Google found it then most of the Google servers are okay!

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/rooms/32019730 Mention GZ to get a 10% discount

System One: Popcorn Hour A200, PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 , Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen, Denon AVRS730H 7.2 Channel Dolby Atmos/DTS-X AV Receiver, Samsung 4K player, Google Chromecast, Odroid C2 running Kodi and Plex

nathan

5256 posts

Uber Geek

Trusted

Microsoft

# 1022181 9-Apr-2014 13:59

2 people support this post

you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

freitasm

BDFL - Memuneh
65308 posts

Uber Geek

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1022184 9-Apr-2014 14:06

You can also use https://www.ssllabs.com/ssltest/ to test.

Lias

3945 posts

Uber Geek

Trusted

Lifetime subscriber

# 1022294 9-Apr-2014 17:23

nathan: you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

And assume all your users need to change passwords just to be safe.

Information wants to be free. The Net interprets censorship as damage and routes around it.

Twitter and LinkedIn »

Follow us to receive Twitter updates when new discussions are posted in our forums:

Follow @geekzonenzforum

Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:

Follow @geekz1

Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:

Follow @geekzoneprices

News »

Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45

Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30

JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59

Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34

NZ Police releases public app
Posted 8-Jan-2020 11:43

Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06

Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54

AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42

AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32

Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09

Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32

Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30

Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01

NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00

New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.

RSS feeds: Main feed; Forums feed; Free whitepapers

Site features: Geekzone Badges; Geekzone Slack channel; Geekzone on Twitter
Status: Geekzone Status; Geekzone Dashboard

Geekzone offers: Switch your broadband with Geekzone; Amazon orders (Kindle, books, everything); MightyApe orders; Free whitepapers; Payoneer card

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising on Geekzone; Trademark and copyright

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.