SoylentNews is people
SoylentNews
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
The Heartbleed bug "is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet." The bug affects not only computer servers, but also routers and even some Android phones, too. Even software like LibreOffice, WinSCP, and FileMaker have versions with the bug and need to be updated. The history, behavior, and impact of this bug are well-explained and summarized on Wikipedia. Therein is this recommendation:
Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:[68]
- all possibly compromised private key-public key pairs must be regenerated,
- all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
- all passwords on the possibly compromised servers need to be changed.
SN's coverage of this vulnerability includes:
(Score: 3, Insightful) by patric91 on Friday May 09 2014, @04:43PM
I consider myself a very technically sophisticated user and I'm concerned about this bug, but I don't loose any sleep over it.
I have not installed any browser plug-ins to fight this, I have not gone on a wild password-changing-spree either.
My reasoning is simple. It doesn't matter. I could change my passwords, but has the site been patched? No, then my password change was a complete waste of time. What if their system is patched? Great, I've avoided this vulnerability. I then end up at another site on another day and I pickup a different bug or virus or mal-whatever web-drive-by-zero-day and my machine is compromised and my (useless?) anti-virus is none the wiser. I then plug my thumb drive in and move the problem to my work network. Or one of my co-workers does, and then the bug travels back to my home computer. What if the malware authors are really good at what they do and the bug is now hiding in the firmware on my motherboard or NIC? Maybe it's a bad piece of code served up by an ad network, maybe it has nothing to due with my computer at all and they get my CC number from a fake swiper at the gas station.
The only assumption that I work from is that my machine is compromised. I keep a good relationship with my local banker so that if there is a problem, and there has been in the past, they step in and, in essence, make it the insurance company's problem.
This is not a perfect solution by any means, but I can't operate all of my computers from Live CDs and I refuse to do business by stone tablets, so here I find myself. Besides, if I don't watch out, it's going to be heart disease that gets me in the end, not a digital "virus".
Just my two cents. Thanks for listening(reading).
Armchair Polymath