Heartbleed bug - security flaw in SSL/TLS

[aceplace57]

This potential could be a big one. That padlock symbol that tells you the connection i secure? You’ll often see it logging in or checking out on a shopping web site. I realize these acronyms mean little to most people. The article explains the problem in more detail.

They found a major security flaw. Oh, crap.

They’ve already got a patch for OpenSSL. It has to be applied to all the web sites that use it. Yahoo is fixing their sites now.

That means password changes are coming.

I wonder if SSH is also effected?

What is the ‘Heartbleed’ bug? Understanding the major Internet security...

Q: How does it work?

A: Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.

The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.

[jimbuff314]

Thread already going on: Heartbleed

[aceplace57]

I never thought to look for it in IMHO.

I was just reporting the security flaw. Not soliciting opinions about it.

[Quimby]

FWIW I did the exact same thing earlier today.

[aceplace57]

Well, I really screwed this up then. So sorry.

The thread should be in Mundane. That’s where Windows security flaws are normally reported. Thats where I look for them.

[blindboyard]

SSH isn’t effected.

[aceplace57]

It’s rare to here directly from the programmer that caused the problem. Contributors like Seggelmann are an important part of the Open Source projects. Usually the review process catches any errors. Once in awhile one still gets through.

Developer confesses to accidentally writing the Heartbleed code

German programmer Dr Robin Seggelmann told the Sydney Morning Herald he wrote the code, which was then reviewed by other members and eventually added to the OpenSSL software.

He admitted the mistake itself was ‘trivial’, but added that its effect is ‘clearly severe’.

The code was added on New Year’s Eve in 2011 and no-one spotted the mistake until earlier this month.

‘It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,’ Dr Seggelmann said.

‘It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.’

Dr Seggelmann said the flaw was missed by him and a reviewer, who appears to have been
Dr Stephen Henson, according to the logs.

OpenSSL is an open-source program which anyone can contribute to and improve.

Changes are submitted and reviewed before being added to the final release.

Websites are then sent this release to update their systems.

[KneadToKnow]

Obligatory XKCD link.