Jump to content

Openssl Breach

 Share
Shadeleaf

Recommended Posts

JCQuiinn    168

JCQuiinn
Posted

Does this also include the websites of banks or credit card companies such as Chase? 

Link to post
Share on other sites

gabriel101x1    463

gabriel101x1
Posted

Does this also include the websites of banks or credit card companies such as Chase? 

 

Bank websites usually use https, so yes this would include them.

Link to post
Share on other sites

Cappy    1599

Cappy
Posted

Facepalm.gif


The Heartbleed flaw potentially exposes the secret key of services (by exposing 64kb chunks of memory) using the affected SSL versions. Someone in possession of a service's secret key can decrypt any data sent to them. It does not directly reveal your passwords. It's worse, and there is no point changing your passwords until the service provider changes their secret key.

Put simply, the secret key is what allows the service (ie. a website) to decrypt and read all encrypted data you send to them, encrypted using their public key. This is known as public/private key encryption. Each party has two keys, a public one which is broadcast to everyone and a private (or "secret") key kept safe. Someone wishing to communicate securely with a party encrypts the data with that party's public key. Once encrypted with a public key, the data can only be decrypted using the corresponding private key, so only parties in possession of the recipient's private key will be able to decrypt it.

This means that if the secret key is compromised, anyone else in possession of it can decrypt encrypted data you send to that service (such as passwords or credit card information - anything you send encrypted), which is why it's usually referred to as a "secret" or "private" key. If an attacker did manage to get a hold of a service's secret key, that means any data sent to them can be decrypted. While the website has the same secret key, changing your password will achieve nothing.

This also means that someone who has obtained a service's secret key can impersonate them across the web because public/private key encryption works both ways. A party wishing to verify they are really who they say they are can encrypt some data with their private key. This data can then be decrypted by anyone with their public key and can verify they are indeed who they say they are (or are in possession of their private key at least).

Even after this flaw has been resolved, anyone in possession of a service's secret key will be able to decrypt any past traffic encrypted using that public/private key pair. That's why this flaw is considered so serious.

TL;DR thanks for the PSA but you might want to know what you're talking about before telling people to change their passwords.
Link to post
Share on other sites

Sir Verigan    21

Sir Verigan
Posted

I was listening to fast-paced music when reading this so when i was changing my passwords i was like: Faster! they are right behind you!

Link to post
Share on other sites

Aptrotta    162

Aptrotta
Posted

It's a good thing I don't use the internet.

 

Oh wait, I do.

Lies! Liar! You obviously do no such thing

Link to post
Share on other sites

Sporadic    2844

Sporadic
Posted

 

TL;DR thanks for the PSA but you might want to know what you're talking about before telling people to change their passwords.

 

 

An exposure of session memory (in this case 64kb) can give an attacker access to virtually anything. Secret keys are an obvious bounty but user credentials, including passwords, as well as sensitive user information up to and including payment details may be stolen by attacks on a vulnerable system (especially if the aforementioned keys can be used to undo the encryption on such data). Any website worth its salt will be well aware of the vulnerability by now and changing your passwords is an excellent go-to, especially if you are partial to password reuse.

Link to post
Share on other sites

Neri    3590

Neri
Posted
 

-snip-

 

 

 

-snip-

 

_1377178478.gif

 

*watches technician-talk-table-tennis*

3
Link to post
Share on other sites

Cappy    1599

Cappy
Posted

-snip-

I'm not saying changing your password is bad, I'm saying it's not a "apply fix and forget" solution. Especially if you use the same password for everything, changing your singular global password to a different singular password on even one affected site (that has yet to update) will render your change pointless. If you use seperate passwords (like any sane person does), only those to the sites that are still vulnerable can potentially be breached.

To everyone: I recommend KeePass.

Link to post
Share on other sites

Heff    2460

Heff
Posted

What if said website is only used on iPhone app?

Link to post
Share on other sites

seannie    7443

seannie
Posted

i have a feeling that the password 12345 was changed to 123456 on many accounts around the internet

Link to post
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.



×
×
  • Create New...