Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersHella scary OpenSSL Vulnerability


Fully Operational
3342 posts

Uber Geek
+1 received by user: 1087

Trusted
Vocus
Subscriber

Topic # 143260 8-Apr-2014 14:09
Send private message

"We attacked ourselves from outside, without leaving a trace," they wrote. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

Think about this - silent theft of private keys.  The implications on being able to trust SSL certs are huge even after this vuln is patched.

Links: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

http://threatpost.com/openssl-fixes-tls-vulnerability/105300

http://www.openssl.org/news/vulnerabilities.html#2014-0160

Create new topic
1833 posts

Uber Geek
+1 received by user: 587

Trusted

  Reply # 1020653 8-Apr-2014 14:24
2 people support this post
Send private message

Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

2738 posts

Uber Geek
+1 received by user: 1407

Subscriber

  Reply # 1020664 8-Apr-2014 14:31
3 people support this post
Send private message

If you assume that at least one malicious state actor (Russia, USA, China) has has access to this for some time, it becomes utterly terrifying.




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.

 
 
 
 


'That VDSL Cat'
6425 posts

Uber Geek
+1 received by user: 1226

Trusted
Spark
Subscriber

  Reply # 1020710 8-Apr-2014 14:58
Send private message

not the best news... yay for spending the day updating and checking machines!




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

457 posts

Ultimate Geek
+1 received by user: 83


  Reply # 1020742 8-Apr-2014 15:54
2 people support this post
Send private message

Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/



Fully Operational
3342 posts

Uber Geek
+1 received by user: 1087

Trusted
Vocus
Subscriber

  Reply # 1020747 8-Apr-2014 15:59
Send private message

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/


Seems to be slammed though

'That VDSL Cat'
6425 posts

Uber Geek
+1 received by user: 1226

Trusted
Spark
Subscriber

  Reply # 1020751 8-Apr-2014 16:06
Send private message

Noodles: Cool tool to check whether servers are vulnerable: http://filippo.io/Heartbleed/


handy tool, as assumed, all clear on my machines!




#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

2090 posts

Uber Geek
+1 received by user: 848


  Reply # 1020755 8-Apr-2014 16:16
Send private message

Only affects OpenSSL 1.01 -> 1.01f

Anyone running Netscalers - they are running 0.9.7b.

786 posts

Ultimate Geek
+1 received by user: 32

Subscriber

  Reply # 1020792 8-Apr-2014 17:13
Send private message

muppet: Yes, I've spent the morning patching my Debian systems and generating new certificates.
Good ol' Crypto.

+1 to that.  Spent most of this afternoon updating systems.

2738 posts

Uber Geek
+1 received by user: 1407

Subscriber

  Reply # 1021040 9-Apr-2014 09:49
2 people support this post
Send private message

Ouch.. Just checked the websites of the various financial institutes I have accounts with.. 2 out of 6 are vulnerable. 




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.

4680 posts

Uber Geek
+1 received by user: 72

Trusted

  Reply # 1021186 9-Apr-2014 13:33
Send private message

I'm guessing if Google found it then most of the Google servers are okay!




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR running on Gigabyte Brix, Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, Panasonic 60" 3D plasma

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Samsung 4K player

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 

4935 posts

Uber Geek
+1 received by user: 1314

Trusted
Microsoft

  Reply # 1022181 9-Apr-2014 13:59
2 people support this post
Send private message

you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH

BDFL - Memuneh
58742 posts

Uber Geek
+1 received by user: 10138

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1022184 9-Apr-2014 14:06
Send private message

You can also use https://www.ssllabs.com/ssltest/ to test.




Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) | Backblaze cloud backup (personal and business)My technology disclosure  

2738 posts

Uber Geek
+1 received by user: 1407

Subscriber

  Reply # 1022294 9-Apr-2014 17:23
Send private message

nathan: you can't just patch, you need to patch, revoke the certs and reissue them to be sure no one has your private keys

OUCH


And assume all your users need to change passwords just to be safe.




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Symantec protects data everywhere with Information Centric Security
Posted 21-Sep-2017 15:33

FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53

Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51

Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39

If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54

Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07

OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56

Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48

Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37

Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45

Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40

Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27

NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16

Windows 10 Fall Creators Update coming Oct. 17
Posted 4-Sep-2017 14:10

Garmin introduce Garmin vivoactive 3
Posted 1-Sep-2017 18:38


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.