OT: Heartbleed, OpenSSL vulnerability
Jean-Pierre A. Radley
appl at jpr.com
Sun Apr 13 13:46:44 PDT 2014
There's been a great deal of coverage in all sorts of media in
the past few days about a major security issue on the Internet,
having to do with something called OpenSSL, and also referred to
as the Heartbleed bug.
The short summary: if an OpenSSL connection is idle, heartbeat
messages are used to check if the other side is still listening. For
example, your browser sends a message "if you are still alive, reply
by sending the 3 letter word 'dog'", and the server replies with
"dog". To trigger the bug, the client would send "reply with the 500
letter word 'cow'". Since "cow" has only 3 letters, the server will
make up the missing 497 bytes with data from memory, and those bytes
might contain other things the server was working on, like users'
passwords or private encryption keys.
You should check those sites which require a password to get in; go to:
https://lastpass.com/heartbleed/
If the site has taken care of the matter, change your password on that
site. If they haven't, prod them to find out why not, change your
password anyhow, and then change it again after they have installed the
necessary fixes.
--
JP
More information about the Filepro-list
mailing list