Sunday, April 27, 2014

What A Mess

Who hasn't heart about "Heartbleed?" But I like to put it in perspective.

Here's a click bait headline:
Tests confirm Heartbleed bug can expose server's private key
But go read it for yourself. The hacker was able to get the site's security certificate after "2.5 million requests" against a honeypot setup explicitly to be hacked. And keep reading. What did/could he do with that certificate? Signed an e-mail with it.

So if somebody hit your bank's site a couple of million times and got their security certificate they can't do ANYTHING with that without ANOTHER exploit that gives them a man-in-the-middle position.

Just a word to the wise: Don't do your online banking at Starbucks.

I'm not saying that "Heartbleed" isn't a real problem just keep it in perspective.

And about passwords "leaking" via "Heartbleed," any site worth it's salt (pardon the pun) is using good password management so the the passwords IN MEMORY should just be salted hashes.

Ok, sure. Go change your passwords if it makes you feel better.

And if you really want a placebo, go into your browser and enable the "Check for server certificate revocation."

Why is that a placebo? Read Steve Gibson's Certificate Revocation Pages:

  1. Introduction
  2. Commentary
  3. Chrome's CRLSets

Clearly these are one person's opinion and a work in progress. Still, that's a real problem.

What a mess...

No comments: