[kwlug-disc] Heartbleed affected sites

Bob Jonkman bjonkman at sobac.com
Fri Apr 11 17:44:00 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If your router is accessible from the WAN port via http then you have
more urgent problems than Heartbleed.

If a site has both http and https then there's no (new) vulnerability
with http, but a Heartbleed attack on https can still extract
passwords and other info.

To extract a password from an http session a bad guy needs to be a
man-in-the-middle, or sniffing the network (remember Firesheep?). To
extract a password with Heartbleed an attacker only has to initiate an
https session.

- --Bob.



On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
> But, wouldn't Heartbleed be an issue, only if you use SSL on the
> site? For example, if you have OpenWRT/Tomato/DD-WRT and logging
> via http (not https), then there is no exploit via OpenSSL?
> 
> 
> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com>
> wrote:
> 
> If you're using a tool to check for Heartbleed vulnerabilities, be 
> sure to check the Web interface on your router and/or modem as
> well.
> 
> I'm not sure if router vendors are on top of this, but according
> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6 (from 
> http://fixppp.org ) is not vulnerable, nor my Thomson Speedtouch
> modem with firmware 6.1.0.5
> 
> Also, somebody asked me how safe these vulnerability checking
> tools are, especially the online and Javascript-based ones. What's
> to say they're not merely displaying "all is well", and actually
> compiling a list of vulnerable sites for later exploitation?
> 
> --Bob.
> 
> 
> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>>> You can use this python tool ssltest.py to check if your
>>>> servers are vulnerable:
>>>> 
>>>> $ wget -O ssltest.py "http://pastebin.com/raw.php?i=WmxzjkXJ"
>>>> $ python ssltest.py example.com
> 
> 
> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>> Mashable has a list going of sites affected by Heartbleed:
>>>> 
>>>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>>>
>>>>
>>>> 
Don't forget to add Canada Revenue (and most other government
>>>> sites) to your list of passwords to change!
> 
> 
> 
> Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-669-0388 
> SOBAC Microcomputer Services             http://sobac.com/sobac/ 
> http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/ 
> Software   ---   Office & Business Automation   ---   Consulting 
> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
> 
>> 
>> 
>> _______________________________________________ kwlug-disc
>> mailing list kwlug-disc at kwlug.org 
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> 
> 
> 
> 
> 
> 
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlNIYh8ACgkQuRKJsNLM5erCjgCfZAuLyG8v83bORUxPxTvs14m+
r8kAoInhKmR99uQBN2cIt+2KY3xq4KMl
=6dTX
-----END PGP SIGNATURE-----

More information about the kwlug-disc mailing list