Heartbleed: Who Was Affected, What to Do Now

Status
Not open for further replies.

ddpruitt

Honorable
Jun 4, 2012
226
0
10,860
The explanation you linked to has some technical inaccuracies (for one it's not the malloc that causes the problem, it's the actual copy a few lines down). The error is your standard unchecked unsafe memcopy operation. Basically an attacker can read up to 64Kib of the SSL server, whatever happens to be stored there is the attackers (even server password files). You also shouldn't change passwords on a website until the certs are updated, otherwise your new password might be compromised too. You should also change all of your passwords. As pointed out, even if a frontend system isn't vulnerable something on the backend might be. Last time I had my password compromised (KickStarter) I switched to using a password manager, it makes these things much easier to deal with.
 

teh_chem

Honorable
Jun 20, 2012
87
0
10,590
2nd factor authentication is the easiest thing everyone can do to help secure their accounts--that should be at the very top of the list, after notifying people of the affected services. Disappointing to see it buried in the middle, despite good info in this post.
 

slm34

Estimable
Apr 10, 2014
2
0
4,510
Walmart tests vulnerable as of today, 12:30PM EST, 10Apr2014

A few minutes before, perhaps 12:28PM EST, the filippo.io test showed walmart.com as Vulnerable, I tested it again, as last night I received the "Uh-oh, something went wrong: ..." response from the filippo.io test. It again came back "Vulnerable". After posting to this site, I again tested it, and it came back like last night: "Uh-oh, something went wrong...broken pipe..." which in their FAQ is further described, including..." This error means that I can't tell if the server is vulnerable (probably not)."

For this site, I would not assume all is well until the "something went wrong" response clears....
 

bugmenotplz

Distinguished
BANNED
Apr 13, 2014
31
0
18,590
That Netcraft's Site Report tool doesn't seem to work. I don't see "Supported TLS Extensions" anywhere on the page. I tried it on sites that were definitely affected by Heartbleed, such as yahoo and tumblr but still nothing.
 

ckaspereli

Estimable
Apr 16, 2014
2
0
4,510
The pathological liars at the NSA should've known about this and let the public know but they are
either incompetent and/or as we've found recently, utterly and contemptuously
untrustworthy. The clueless immoral SOB's that run the incestuous
CIA/NSA complex are solely interested in the billions of dollars they get to
spend that allows them to arrogantly strut and prance about and baldly
lie to congress fabricating bogus claims of national top secrecy ad
nauseum.
 

ckaspereli

Estimable
Apr 16, 2014
2
0
4,510
The pathological screwball liars at the NSA should've known about this issue 2 years ago and let the public know but they were evidently too busy spending hard-earned tax-payer's money on equipment to spy on us and hence are flagrantly incompetent and/or as we've found recently, utterly and contemptuously untrustworthy. The clueless immoral SOB's that run the incestuous CIA/NSA complex are solely interested in the billions of dollars they get to spend that allows them to arrogantly strut and prance about and baldly lie to congress fabricating bogus claims of national top secrecy ad nauseum.
 
Status
Not open for further replies.