psa heartbleed

Collapse
X
Collapse
 
  • Page of 2
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • adlp
    FFR Veteran
    • Jul 2006
    • 1757
    #16
    Re: psa heartbleed

    lol

      Comment

      • MrGiggles
        Senior Member
        • Aug 2005
        • 2846
        #17
        Re: psa heartbleed

        Originally posted by SC_coolguy44
        Ditto. Internet safety is a really good practice, but this probably isn't nearly as big of a threat as the media is blowing it out to be.
        The bug had been around for over a year without being noticed so some enterprising hacker may have been pulling gigabytes of 'secure' data over the past year. Facebook, instagram, bank websites, online stores, etc.

        Just because there isn't a sudden epidemic of stolen accounts doesn't mean nobody took advantage of this. There's no way that I know of to determine what data, if any, has been wrongfully sent out.

        But in practical terms yeah it's not a huge deal if you haven't already had accounts siezed. Just change your password after everyone patches their sites.

          Comment

          • arcnmx
            nanodesu~
            • Jan 2013
            • 503
            #18
            Re: psa heartbleed

            Link to old thread because can I just merge it?

            Originally posted by Charu
            Oh dear...

            Also, with the heartbleed thingy. Even though it's a very real threat and all that good stuff, can't help but feel it's being blown out of proportion, lmao.
            It's really not that blown out of proportion - it's quite serious and affects a wide range of sites. The issue is that no one knows whether it had been previous discovered or exploited, so we all generally have to assume all HTTPS traffic from the past 2 years has been unencrypted (and so will all future communication if you don't revoke and create new keys).

            It also doesn't help that corporations were slow as hell to react, making a large number of sites vulnerable for days after the general public already knew how to exploit the bug. It's... really bad.

            Originally posted by Izzy
            I find it weird that this is even a real exploit. I remember learning about memory hacks like this and how to avoid them with error checking when writing C code in school. What were the developers thinking when they wrote this code? I was kind of under the impression that all of these developers were incredibly smart. Not saying I could have done any better, but when writing internet security libraries I would kind of be paranoid as fuck about this exact kind of problem.
            Yup, all it takes is one wrong length passed to memcpy and/or the lack of a bounds check. Also OpenSSL is written by monkeys (yes, ironic SSL cert warning, ignore it)


            FMO AAAs (1): Within Life :: FGO AAAs (1): Einstein-Rosen Bridge

              Comment

              Previous 1 2 template Next
              Working...