The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

xkcd: Heartbleed Explanation, or why you should reset passwords, certificates and request new credit cards.

Posted by jpluimers on 2014/04/11

In layman’s terms/pictures: xkcd: Heartbleed Explanation.

If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).

Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.

–jeroen (who just discovered this is post #2000 on my blog; ain’t this cool? <g>)

Heartbleed

This entry was posted on 2014/04/11 at 08:27 and is filed under Internet, OpenSSL, Power User, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “xkcd: Heartbleed Explanation, or why you should reset passwords, certificates and request new credit cards.”

  1. More OpenSSL and certificate things (in the aftermath of Heartbleed) « The Wiert Corner – irregular stream of stuff said

    2014/04/13 at 18:58

    […] jpluimers on xkcd: Heartbleed Explanation,… […]

    Reply
  2. IL's avatar

    IL said

    2014/04/11 at 19:07

    Does heartbleed attack extend to secured POP3S/IMAPS/SMTPS TLS or STARTTLS connections?

    Reply
    • jpluimers's avatar

      jpluimers said

      2014/04/11 at 19:15

      From what I read it happens for all TLS connections that support heartbeat.

      Reply
    • IL's avatar

      IL said

      2014/04/11 at 19:15

      It does! http://heartbleed.com/

      How widespread is this?

      Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (*SMTP, POP and IMAP* protocols), chat servers (*XMPP* protocol), virtual private networks (*SSL VPNs*), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

      Reply
  3. marco wobben's avatar

    marco wobben said

    2014/04/11 at 09:36

    serious ouch indeed!

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»