Author Topic: OpenSSL and the Heartbleed issue  (Read 7596 times)

0 Members and 1 Guest are viewing this topic.

Offline JonPaulOnLine

  • Full Member
  • ***
  • Posts: 61
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #15 on: April 12, 2014, 01:36:55 AM »
I have been using Password Manager for several years,
started way back when RoboForm came out then last year I switched to last pass
TestSystemSoftware-Windows7 HomePremium, 32 BIT,  4GB RAM,
MBAM Premium, MBAE, WinPatrol Plus, Acronis Image 2015, Norton Security Suite for Comcast,  Pale Moon, Chrome,WinPrivacy Beta, Spyware Blaster,WinPrivacy

Offline JonPaulOnLine

  • Full Member
  • ***
  • Posts: 61
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #16 on: April 12, 2014, 01:56:01 AM »
I was never able to convince my wife to use a password manager, she prefers to keep her 2 email passwords  in memory  but she does like that I instructed her where to go to find my 200 passwords when I have been ill
TestSystemSoftware-Windows7 HomePremium, 32 BIT,  4GB RAM,
MBAM Premium, MBAE, WinPatrol Plus, Acronis Image 2015, Norton Security Suite for Comcast,  Pale Moon, Chrome,WinPrivacy Beta, Spyware Blaster,WinPrivacy

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1575
    • View Profile
Re: OpenSSL and the Heartbleed issue
« Reply #17 on: April 12, 2014, 09:07:49 AM »
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline LilBambi

  • LzD Friends
  • Sr. Member
  • *****
  • Posts: 488
    • View Profile
    • LilBambi's BambisMusings Blog
Re: OpenSSL and the Heartbleed issue
« Reply #18 on: April 12, 2014, 12:03:09 PM »
Definitely wise to wait for the website to notify you that they have patched their server AND had their certificate updated.

I went to Soundcloud and they actually were notifying people as they came to the site, Pinterest sent an email.

They appear to be handling it differently.

Some sites seem to be notifying you in email of cool stuff or new features on their website and when you to go to the site, they also let you know about the issue.

Others are letting us know through website blogs, press releases, etc.

Seems there is no clear cut way they are doing it.

I would hope that banking institutions, credit card companies, other financial institutions for stock portfolios, etc. are being more straight forward and just emailing or sending a snailmail notification (not the preferred way by snailmail btw).

I was notified by one company that yes, they were vulnerable and they fixed webserver, restarted it and then requested a new certificate, but they were also quick to say that because 'your' data is encrypted by keys the website does not hold (you hold the keys), the data was still safe. They also said they employ PFS.

Also StartPage.com has been using PFS right along.

I talk about this in my blog posting here:

Heartbleed, OpenSSL and Perfect Forward Secrecy - FransComputerServices Blog

Includes the article at mashable with the Hit List.

Some very good articles listed and quoted.
Bambi
AKA Fran
Jim-Fran.com

Offline LilBambi

  • LzD Friends
  • Sr. Member
  • *****
  • Posts: 488
    • View Profile
    • LilBambi's BambisMusings Blog
Bambi
AKA Fran
Jim-Fran.com

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20208
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #20 on: April 13, 2014, 08:49:55 PM »
I have a problem with the Bloomberg article -- "two people familiar with the matter said."  Are those "two people" NSA employees/contractors?  Bloomberg writers?  People off the street?  It is just too open-ended.

Edit Note:  Found the two Tweets from yesterday that contradict the Bloomberg article:

https://twitter.com/NSA_PAO/status/454720059156754434:

Quote
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.

Also see https://twitter.com/ZekeJMiller/status/454721511283109888


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline LilBambi

  • LzD Friends
  • Sr. Member
  • *****
  • Posts: 488
    • View Profile
    • LilBambi's BambisMusings Blog
Re: OpenSSL and the Heartbleed issue
« Reply #21 on: April 13, 2014, 10:04:58 PM »
NSA denies Report that Agency knew and exploited Heartbleed Vulnerability - HackerNews

There have been so many lies, it is hard to tell the truth from lies anymore.
Bambi
AKA Fran
Jim-Fran.com

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20208
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: OpenSSL and the Heartbleed issue
« Reply #22 on: April 13, 2014, 10:14:34 PM »
So very true, Fran.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.