Major OpenSSL Vulnerability Discovered

[Tom Bombadildo]

OpenSSL, the open-sourced SSL/TSL protocols used by a large amount of websites, suffers from what most are calling a "very serious and very damaging vulnerability" called the "Heartbleed Bug". For any web devs out there currently using OpenSSL 1.01 to 1.01f, it's STRONGLY recommended you update to 1.01g in order to fix this.

What leaks in practice?
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How to stop the leak?
As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

More info and some FAQs can be seen from the Source.

 

[Gahars]

If ya didn't want people gettin' in, you shoulda called it ClosedSSL, ya dingus.

 

[VashTS]

If ya didn't want people gettin' in, you shoulda called it ClosedSSL, ya dingus.

Somebody been watching Brule or Eggbusters lately? I know I have. And I am a dingus.

in on topic news, sucks.