It’s well known that monkeys on different islands discover the same trick at the same time.
That is because the “Alien Space Bats” who control all things on earth decided to dispense that new knowledge at that time!!
Ah, OK, that makes sense. I always wondered why it was so.
See? we have just learned something new at the same time in two very different parts of the world… Does that mean that @ParkinT; is a “Alien Space Bat” that wanted us to know this just right now? And for what purpose? Are his intentions evil? runs and hides
Link to original description of heartbleed bug: http://heartbleed.com/
Link to site checker for vulnerability: https://lastpass.com/heartbleed/
Link to list of big-name sites affected: http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
Link to original explanation comic: http://xkcd.com/1354/
Yes I was notified by LastPass before than anyone else regarding the Heartbleed. Thanks!
A few quick snippets/random points about the Heartbleed bug, just to provide some techie bits and pieces of info from a sysadmin’s travels on the web:
- Heartbleed only allows access to the process providing the SSL connection. That is, if you run Apache, it only allows access to the httpd process. Depending on how you run PHP (or whatever you run) this may be significant as it could substantially limit what’s exposed. Many web servers run PHP under suphp or fastcgi; if so, only basic/digest auth passwords and SSL certs were exposed.
- An SSL cert private key could be stolen using this method, though reports say it’s hard to actually do this in real life. One experimenter actually failed to retrieve an SSL private key using Heartbleed, although at least one experiment did succeed.
- Even if an SSL private key was stolen, it’s not trivial to exploit as the hacker would need to both control DNS and have access to your communication stream. It’s actually easier for them to plant a trojan on your PC or your server. Trust me, most servers aint that secure …
- Apache occasionally runs PHP in DSO mode. This is the most vulnerable mode for PHP/Apache, as it runs PHP in the same process as the openssl code. High volume websites tend to do this as it’s a fast way to run PHP.
- Interestingly, because of the way nginx (a type of webserver, also used by high volume sites) organizes its memory, SSL keys couldn’t be stolen from it. This is because the limited area of memory exposed to Heartbleed never contains SSL keys in nginx. (This was as reported some time ago, assuming it hasn’t changed.)
- If the name of this exploit hadn’t been “Heartbleed” or if it hadn’t had such a trippy bleeding heart as a logo, it would have had 1/10th of the press. Probably good that it did get a lot of press, though despite this around 10% of webservers will probably be vulnerable for about the next 2 years. YMMV
- Regardless of this, it’s probably still password change time - just in case. (And also time to re-key certs on any big sites, of course)
If the name of this exploit hadn’t been “Heartbleed” or if it hadn’t had such a trippy bleeding heart as a logo, it would have had 1/10th of the press. Probably good that it did get a lot of press, though despite this around 10% of webservers will probably be vulnerable for about the next 2 years. YMMV
Every major bug/leak needs a graphics monkey to whip out an awesome logo and some marketing-PR-SEOer to come up with a catchy name for it… and this may solve more security problems involving the general public than any technical solution!