psa heartbleed

[Litodude]

https://filippo.io/Heartbleed/

[Untimely Friction]

If I remember correctly this is a site used to determine if an https enabled site is vulnerable to the exploit?? you should say that cause if I wasnt already aware I wouldn't know, and nor will others.

[choof]

Quote:

Originally Posted by Untimely Friction

If I remember correctly this is a site used to determine if an https enabled site is vulnerable to the exploit?? you should say that cause if I wasnt already aware I wouldn't know, and nor will others.

if you click on the link it tells you what this is for

[Litodude]

Quote:

Originally Posted by Untimely Friction

i don't know how to read

excuse me i find your avatar offensive please take it down before i report your post

[Untimely Friction]

Quote:

Originally Posted by choof

if you click on the link it tells you what this is for

I'm curious what it is before I click a random link, sorry ^^

[Charu]

Oh dear...

Also, with the heartbleed thingy. Even though it's a very real threat and all that good stuff, can't help but feel it's being blown out of proportion, lmao.

[One Winged Angel]

Stay on topic and stop flamebaiting. If you legitimately think favoritism or lack of clarity in forum rules is an issue, contact admins via PM or some other facet.

[SC_coolguy44]

Quote:

Originally Posted by Charu

Oh dear...

Also, with the heartbleed thingy. Even though it's a very real threat and all that good stuff, can't help but feel it's being blown out of proportion, lmao.

Ditto. Internet safety is a really good practice, but this probably isn't nearly as big of a threat as the media is blowing it out to be.

[Izzy]

I find it weird that this is even a real exploit. I remember learning about memory hacks like this and how to avoid them with error checking when writing C code in school. What were the developers thinking when they wrote this code? I was kind of under the impression that all of these developers were incredibly smart. Not saying I could have done any better, but when writing internet security libraries I would kind of be paranoid as fuck about this exact kind of problem.

[dAnceguy117]

I think it's worth coverage from the media. it affected a ton of the internet, and the internet is used by a lot of people.

tumblr and Slack () both sent out emails warning that the sites were using vulnerable versions of OpenSSL. change your passwords! and if you use the same password across multiple sites, take extra caution. shame on you, by the way.

[choof]

Quote:

Originally Posted by SC_coolguy44

Ditto. Internet safety is a really good practice, but this probably isn't nearly as big of a threat as the media is blowing it out to be.

this vulnerability itself isn't a huge deal. it was patched pretty quickly

it's just that this exploit has been available for about a year and a half
that may not seem like a long time but... a fatal flaw, in what is easily the most widely used security protocol, that's been in circulation for nearly 1.5 years

[Reincarnate]

Most of the big sites have fixed things up, so hopefully good to go from there

[Litodude]

Quote:

Originally Posted by One Winged Angel

Stay on topic and stop flamebaiting. If you legitimately think favoritism or lack of clarity in forum rules is an issue, contact admins via PM or some other facet.

i already won

[adlp]

aw dangit i missed an argument. who was it with lito

[choof]

it was with untimely friction: the mod that literally no one on staff knows anything about

[adlp]

lol

[MrGiggles]

Quote:

Originally Posted by SC_coolguy44

Ditto. Internet safety is a really good practice, but this probably isn't nearly as big of a threat as the media is blowing it out to be.

The bug had been around for over a year without being noticed so some enterprising hacker may have been pulling gigabytes of 'secure' data over the past year. Facebook, instagram, bank websites, online stores, etc.

Just because there isn't a sudden epidemic of stolen accounts doesn't mean nobody took advantage of this. There's no way that I know of to determine what data, if any, has been wrongfully sent out.

But in practical terms yeah it's not a huge deal if you haven't already had accounts siezed. Just change your password after everyone patches their sites.

[arcnmx]

Link to old thread because can I just merge it?

Quote:

Originally Posted by Charu

Oh dear...

Also, with the heartbleed thingy. Even though it's a very real threat and all that good stuff, can't help but feel it's being blown out of proportion, lmao.

It's really not that blown out of proportion - it's quite serious and affects a wide range of sites. The issue is that no one knows whether it had been previous discovered or exploited, so we all generally have to assume all HTTPS traffic from the past 2 years has been unencrypted (and so will all future communication if you don't revoke and create new keys).

It also doesn't help that corporations were slow as hell to react, making a large number of sites vulnerable for days after the general public already knew how to exploit the bug. It's... really bad.

Quote:

Originally Posted by Izzy

I find it weird that this is even a real exploit. I remember learning about memory hacks like this and how to avoid them with error checking when writing C code in school. What were the developers thinking when they wrote this code? I was kind of under the impression that all of these developers were incredibly smart. Not saying I could have done any better, but when writing internet security libraries I would kind of be paranoid as fuck about this exact kind of problem.

Yup, all it takes is one wrong length passed to memcpy and/or the lack of a bounds check. Also OpenSSL is written by monkeys (yes, ironic SSL cert warning, ignore it)