[Date Prev][Date Next][Subject Prev][Subject Next][ Date Index][ Subject Index]

Re: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping



You can find a list of the current situation at the "Top 100" sites at http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

Paul Lagasse
On 04/10/2014 12:22 PM, J R FOX wrote:
Quick show of hands now: how many have been rushing to change all their online passwords (as has been strongly recommended) in the wake of this news ?  With 5 mail accounts, password-access forum memberships, and a host of other things, I have too many passwords to keep track of.  I really should have found a good password manager app. a long time ago.  (Actually I did, some years ago, but it was for OS/2, relatively complicated as such apps go, and development on it ceased.)  That said, I've never done any online banking -- except for PayPal, which is very hard to avoid -- because I never trusted the entire concept.  Email ?  No super-sensitive business stuff in there.  I'm not sure how worried I'm apt to get over this.  98 % of the public is ill-informed about most of whatever is going on at the moment, so I would bet that this remains widely overlooked . . .  until such time as it actually bites them, and forces an active response.


  Jordan



From: Lynn Brenner mailto:lynn.brenner.nyc@xxxxxxxx
To: xywrite@xxxxxxxx
Sent: Wednesday, April 9, 2014 8:19 AM
Subject: Re: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping


Bill,

I agree that we can assume this vulnerability hasn't been exploited in the past two years. Lots of customer money suddenly vanishing from big financial institutions would have set off a big hullaballoo.

But all this publicity has alerted hackers to its existence, presumably opening a window of opportunity for them before everyone patches the problem....

Lynn


On Wed, Apr 9, 2014 at 10:22 AM, Bill Troop mailto:billtroop@xxxxxxxx; href="mailto:billtroop@xxxxxxxx wrote:
Isn't it significant, though, that this vulnerability has existed for two years and that it hasn't been perceptibly exploited? The announcement seems to have an agenda other than user safety (i.e. the authors want to improve their credentials by publishing a sensational paper).

At 09/04/2014 05:23, you wrote:
Here's the stuff of nightmares - off topic, but important to know about:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

That's the most detailed story, but it's running everywhere at this point - Reuters, CNN, NYT, WSJ etc

Lynn Brenner