HeartBleed is breaking the whole internet today. DONT ENTER YOUR PASSWORDS OR LOGIN TO WEBSITES FOR THE NEXT 24-72 HOURS if you can help it. Til they upgrade and announce theyre upgraded. Heres a test to see if the site you want to login to is vulnerable: possible.lv/tools/hb/ and https://ssllabs/ssltest/ (facebook is not vulnerable.) From IRC: 13:24 < v*****> the crap shoot is for i in {1..10} pull yahoo password resulted in 4 passwords. (if you run apache webservices on debian 7 (wheezy) or recent ubuntus you need to upgrade: apt-get update && apt-get install openssl libssl-dev libssl-doc libssl1.0.0 && /etc/init.d/apache2 restart - no openSSH isnt compromised fwig.) Worse, being able to read memory in Apache means anythign that runs through apache is compromised - anything running in php or other script languages that run in apache -- users passwords, database passwords, private X.509 SSL keys, etc. (This means even after you patch it you must change everyones passwords as they may have been read. Also means re-create your HTTPS private key and re-certify it now, though the later would only be useful if you could intercept https session network traffic for that site you have the key for - but dont doubt that such keys will be traded around black hat channels for prominent websites. open Wifi is now even more dangerous because https is effectively useless for the next while!) heartbleed.org
Posted on: Tue, 08 Apr 2014 17:35:51 +0000
Trending Topics
Recently Viewed Topics
© 2015