Jump to content
Sign in to follow this  
Followers 0
Arrkham

Start changing your passwords now

By Arrkham, in The Pub

Recommended Posts

Arrkham    291

Arrkham
Posted (edited)

If you haven't heard, there was a huge security hole found for a lot of websites. You may want to change all your internet passwords in a week or so. Check out the list of compromised sites (just the tip of the iceberg):

 

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Edited by The Dλrk Knight Rises

Share this post

Link to post
Share on other sites

Swed    2651

Swed
Posted

The Heartbleed flaw in OpenSSL

The fatal flaw (that has been named Heartbleed) is that the OpenSSL library never checked that the Heartbeat payload size corresponds with the actual length of the payload being sent. A user is allowed to input any number up to 65535 (64 kilobytes) regardless of the true size of the payload. If an attacker sends a Heartbeat request saying the size is 65535, but a payload that's only 18 bytes long the vulnerable server will store only 18 bytes in memory. However, the response will start with those stored 18 bytes, but continue sending data from the next 64KB of memory back to the client. This data could be usernames and passwords, private keys, username, HTML pages, random junk, or even the private secret that the webserver uses to establish its identity. (The fix to OpenSSL implemented in 1.0.1g and later versions is essentially to perform sanity checks on the payload size as told by the client).

The attack can be repeated many times and in general will reveal different parts of the webserver's memory each time. The attack can be performed anonymously in an undetectable manner for typical webserver configurations. Typically, you only log IP addresses when you serve a web page, but this attack can happen early in the negotation process in vulnerable versions, before any webpage is served.

 

Source: http://security.stackexchange.com/questions/55343/how-to-explain-heartbleed-without-technical-terms

 

The actuality of a hacker grabbing your password is little to none

 

If a hacker was able to grab the private key the website uses for encryption, that would be a problem as they can now perform MITM attacks and grab whatever they want.

MrCoolness reacted to this

Share this post

Link to post
Share on other sites

driz    2626

driz
Posted

remember to NOT change your passwords until the site in questions has 1) fixed the bug 2) generated a new key

Share this post

Link to post
Share on other sites

Ryziou    538

Ryziou
Posted

only 10 characters?

 

Brute force through numerous IP addresses will get your password in 15 minutes :D

Only noobs use 10 charactered passwords. You gotta go with *****************************

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...