The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 4,224 other subscribers

More OpenSSL and certificate things (in the aftermath of Heartbleed)

Posted by jpluimers on 2014/04/13

So you think Heartbleed is over. Think again. Not only servers are affected. Clients too. And you need to tighten your security even more.

Basically it comes down to this:

Expect all sites using HTTPS to have been vulnerable, and all data you exchanged to be captured. Unless you can have hard proof they were not vulnerable, or the traffic was not captured. If you have not started changing passwords, private keys, credit card numbers, etc: do so now.


In layman’s terms/pictures: xkcd: Heartbleed Explanation.

If you still don’t get it: anyone with any HTTPS connection to a once vulnerable system could copy data out of that system. There is no guarantee that data did not contain your identity (username, password, public key, credit card check-digits, etc) or server identity (private and public key).

Since often you cannot prove a system was using OpenSSL, there is no way to prove your data didn’t get copied.

Here are some interesting reads from last week: 


One Response to “More OpenSSL and certificate things (in the aftermath of Heartbleed)”

  1. […] More OpenSSL and cer… on xkcd: Heartbleed Explanation,… […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: