Forum Settings
       
Reply To Thread

PSA: SSL holeFollow

#1 Apr 11 2014 at 3:39 PM Rating: Default
****
8,779 posts
Yes, it's not FF related, but I just received an e-mail from my stepdad informing me that, for the time being, the hole in the SSL software truly has created a **** + fan situation. Here were the instructions he sent me:

Quote:
Hey ****,
It has come to light that there is a very serious security hole in the
SSL software that is used all over the internet. When you are on a
secure site (the URL usuallybegins with https://), data that should be
encrypted and unreadable may not be. On a scale of 1 to 10, this is an
11 in terms of seriousness. Until this is corrected, I would suggest
doing the following:

1. Use the Firefox browser and install the add-on for the LastPass
password manager.
2. I also suggest installing the following add-ons in Firefox:

NoScript - Allows you to control the execution of all types of scripts
on every site you visit.
AdBlock Plus - Self-explanatory.
Ghostery - Lets you control whether or not code for things like
Facebook, Twitter and Disqus get processed by the browser.
WOT (Web of Trust) - Allows you to examine safety and trusworthiness of
a site before you follow a link to it. This is particularly nice when
looking at Google search results.

3. Set up 2-step verification forany sites and services that provide
the option, such as Google. With this in place, if someone is trying to
access one of your accounts, you will receive a text message that will
tip you off to what's happening.
4. Encrypt any files containing sensitive information prior to storing
them in the cloud (DropBox, Google Drive, etc.). TrueCrypt is a common
utility for this.
5. Keep access to sensitive accounts online to a minimum (bank and other
financial sites, social security, IRS and so on) until you hear that the
hole has been patched across the net.

Sorry to alarm you, but this is important.

Talk soon,


--
*******


My stepdad knows his **** and is apparently quite afraid of this. If he's scared, then I'm terrified. So keep safe out there guys. Last thing I wanna see is someone on here get screwed.
#2 Apr 11 2014 at 3:47 PM Rating: Decent
*
72 posts
His reaction to heartbleed I assume. It's OpenSSH only. Granted, they are VERY popular and everywhere.
This is why companies like Microsoft and Oracle are here to stay; you get what you pay for (OpenSSH is free...)
#3 Apr 11 2014 at 5:22 PM Rating: Excellent
****
5,745 posts
mess3 wrote:
His reaction to heartbleed I assume. It's OpenSSH only. Granted, they are VERY popular and everywhere.
This is why companies like Microsoft and Oracle are here to stay; you get what you pay for (OpenSSH is free...)

It's not even OpenSSH. It's only OpenSSL. And while OpenSSH uses the OpenSSL library, it doesn't use TLS, which is specifically what is targetted with Heartbleed.
#4 Apr 11 2014 at 5:39 PM Rating: Excellent
****
5,745 posts
As to the suggestions in the OP, nothing you do on the client side (e.g. blocking scripts in your web browser, etc) will do anything to protect you from Heartbleed. Heartbleed targets a webserver and can pull random contents of its memory. The only thing you could do is to not visit a site that is currently known to be vulnerable to this attack and not visit it, in the hopes of minimizing the amount of your private information is residing in that server's memory. The suggestions mentioned in the OP are good practices in general for Internet related activity. But none of those steps will keep your login information safe if you visit a site that is currently vulnerable.

xkcd's simplified explanation of Heartbleed:
http://xkcd.com/1354/

Here is a link to a list of websites that was found to be vulnerable as of a few days ago:
https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

Heartbleed test site:
http://filippo.io/Heartbleed/

If you have an account at a site that was known to have been vulnerable to Heartbleed, then you should change your password on that site after verifying that the vulnerability has been patched. Changing your password while the site is still vulnerable simply exposes the new password to being compromised as well. You may also want to change your password on any site that wasn't vulnerable if you happen to have used the same password as you did on a vulnerable site.
#5 Apr 27 2014 at 8:24 PM Rating: Good
****
5,745 posts
mess3 wrote:
His reaction to heartbleed I assume. It's OpenSSH only. Granted, they are VERY popular and everywhere.
This is why companies like Microsoft and Oracle are here to stay; you get what you pay for (OpenSSH is free...)

Yeah... so about that:
New Vulnerability Found in Every Single Version of Internet Explorer
#6 Apr 27 2014 at 8:28 PM Rating: Decent
Jack of All Trades
******
29,633 posts
I had to read that comic 5 times before I got it. There's probably a big security hole in my brain too
Reply To Thread

Colors Smileys Quote OriginalQuote Checked Help

 

Recent Visitors: 284 All times are in CST
Anonymous Guests (284)