OpenSSL and the Heartbleed issue

Corrine · Apr 9, 2014

There is nothing people can do to protect themselves if vulnerable websites are visited until the administrators of those websites have upgraded their software. Then, change your password.

See The Heartbleed Bug, explained - Vox

Corrine · Apr 9, 2014

Just found this. Check sites here: LastPass - LastPass Heartbleed checker.

Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed

Patrick · Apr 9, 2014

I've been using LastPass Premium for over 2 years, so I just changed any affected sites with their password tool.

jcgriff2 · Apr 10, 2014

What I don't understand is that the article says the bug opens up system RAM to possible threats of being read.

Is the vulnerability ongoing - even when logged off the SSL site?

Regardless, it would take a long time to upload 4,8,12+ GB RAM.

Corrine · Apr 10, 2014

Aaron posted his understanding of the issue at LzD which you might find helpful: OpenSSL and the Heartbleed issue.

My understanding is that if logged into a service while it was vulnerable, then there is a chance that the password has been harvested.

Here's what Bruce Schneier explained in Schneier on Security: Heartbleed:

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.

x BlueRobot · Apr 10, 2014

This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691

niemiro · Apr 10, 2014

x BlueRobot said:
This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691

That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website.

x BlueRobot · Apr 10, 2014

niemiro said:
x BlueRobot said:

This is supposedly a list of hostnames for vulnerable websites - https://gist.github.com/dberkholz/10169691

Click to expand...

That's definitely not all vulnerable websites though. It's a useful list, just people need to be aware that it doesn't list every vulnerable website.

The best method is to use the LastPass Checker, or contact the site staff for a particular website.

x BlueRobot · Apr 12, 2014

A list of the major companies affected as has been listed here, with their comments including if you should change your password and if a patch has been released.

The Heartbleed Hit List: The Passwords You Need to Change Right Now

jcgriff2 · Apr 12, 2014

I don't believe that none of the major banks were hit.

x BlueRobot · Apr 14, 2014

Microsoft and Apple weren't affected either.

Corrine · Apr 14, 2014

jcgriff2 said:
I don't believe that none of the major banks were hit.

That's because they apparently don't use OpenSSL.

Search

Search

OpenSSL and the Heartbleed issue

Corrine

Administrator,
Microsoft MVP,
Security Analyst

Corrine

Administrator,
Microsoft MVP,
Security Analyst

Patrick

Sysnative Staff

jcgriff2

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

Corrine

Administrator,
Microsoft MVP,
Security Analyst

x BlueRobot

Administrator

niemiro

Senior Administrator, Windows Update Expert

x BlueRobot

Administrator

x BlueRobot

Administrator

jcgriff2

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

x BlueRobot

Administrator

Corrine

Administrator,
Microsoft MVP,
Security Analyst

OpenSSL and the Heartbleed issue

Administrator, Microsoft MVP, Security Analyst

Administrator, Microsoft MVP, Security Analyst

Sysnative Staff

Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.)

Administrator, Microsoft MVP, Security Analyst

Administrator

Senior Administrator, Windows Update Expert

Administrator

Administrator

Co-Founder / AdminBSOD Instructor/ExpertMicrosoft MVP (Ret.)

Administrator

Administrator, Microsoft MVP, Security Analyst

Administrator,
Microsoft MVP,
Security Analyst

Administrator,
Microsoft MVP,
Security Analyst

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

Administrator,
Microsoft MVP,
Security Analyst

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)

Administrator,
Microsoft MVP,
Security Analyst