More Fun
CBS is reporting the problem with a misleading headline: “Heartbleed” bug in Web security exposes passwords to hackers
The bug afflicts version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers, according to the OpenSSL project’s advisory on Monday night. OpenSSL has released version 1.0.1g to fix the bug, but many Web site operators will have to scramble to update the software. In addition, they’ll have to revoke security certificates that now might be compromised.
This is definitely a ‘bad thing’, but the reporting waits a long time to get to the ‘how’ it affects you. Among the more common uses of OpenSSL is preparing the keys for you to submit to a Certifying Authority to be granted the certificate used for encrypted data, like passwords, to be exchanged between users and a server. If you can capture the keys to the server, you can set up a listening post on the line and capture information like passwords and account names.
The real problem is getting people to update their software. There are a lot of problems that are still hanging around because too many people don’t update often enough, with a few who have never updated.
April 8, 2014 29 Comments