[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL



On 4/7/2014 6:14 PM, grarpamp wrote:
http://heartbleed.com/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL
cryptographic software library. This weakness allows stealing the
information protected, under normal conditions, by the SSL/TLS encryption
used to secure the Internet. SSL/TLS provides communication security and
privacy over the Internet for applications such as web, email, instant
messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the
systems protected by the vulnerable versions of the OpenSSL software. This
compromises the secret keys used to identify the service providers and to
encrypt the traffic, the names and passwords of the users and the actual
content. This allows attackers to eavesdrop communications, steal data
directly from the services and users and to impersonate services and users.
Patch your stuff.
Comments / suggestions from those w/ in depth knowledge in this area? How users should proceed; how to check if sites used (banks, email, retail sites, etc.) were / still are affected, so one knows if & when to change passwords or other data?

If the number of sites potentially affected is as large as indicated on heartbleed.com, changing PW on even 60% of sites I use could take a long time - even to do it once.

It would do little good to change a password on a site that hasn't patched this. Or perhaps it would do some good, to change the password before logging out of a site? Then when a site must be accessed again, change the password again.

Either way, this might not provide perfect safety, but might ? be better than nothing.
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk