Heartbleed

I saw this on the full disclosure list Tuesday, but didn’t think much of it.

Yes, a lot of sites are affected. Yes, there’s potential for account hijack. Do you need to panic, as is HuffPo’s advicepanic? No. (And I’ll spare teh soliquily about how their operation make MSNBC and Fox look like bastions of crediblity….)

My understanding is that this was a bug that popped up sometime in the past couple of years. Surprisingly, if you’re running old stuff (or Microsoft nonsense) server-side, you’re unaffected.

It’s something that unless the sites were using the vulnerable version, and you changed your password while they were using the buggy version, and someone happened to be hijacking your session when you changed your password, then you might be vulnerable.

Do the math on the probabilities.

I’ll spare the schadenfreude about the commercial sekurity products affected because they used a buggy verison of OpenSSL, though *cough*McAfee*cough*Barracuda*cough* the temptation is tough to completely pass up.

4 thoughts on “Heartbleed”

      1. It allows, with sufficient heap-fu, arbitrary openssl-connected memory space reads (web, email, whatever process).
        It’s got no issue with your session – you can get the damn thing to leak the whole contents of memory, 64k at a time.

        1. Interesting. Still, the attacker would have to get in during one of the temporal connections, and hope to do that heap-fu during the connection lifetime. I’m wondering what the probabilities look like. Connect –> get haxxed –> MITM listens –> Connection closes –> Do analysis of the datastream to get the data.

Comments are closed.