Futuza Posted April 9, 2014 Posted April 9, 2014 Don't forget to update to OpenSSL 1.0.1g if you use it. Hats off to JKHub to having already fixed it/not been vulnerable in the first place. Caelum likes this
Shadzy Posted April 11, 2014 Posted April 11, 2014 Nice conversation about this, I am in the process of currently re-issuing all certificates I purchased!!! Caelum IIS cant dodge the bullet IF THE SAME CERT is used on Apahce! Caelum likes this
eezstreet Posted April 11, 2014 Posted April 11, 2014 You don't need to re-issue your cert, you just need to update your SSL version. Also, I'm actually surprised you're purchasing a cert, seeing as how they're easily faked.
Asulynn Posted April 12, 2014 Posted April 12, 2014 I don't understand this, does it affect me? http://xkcd.com/1354/ This might help to explain it a little bit. It is a bug that has the potential of leaking all sorts of crucial and personal information, including passwords. Just to be cautious, you may wish to change your passwords, especially for popular sites that were most effected (a list here) and where you may have reused the same common password. This doesn't mean that your personal information was for sure confirmed leaked. It just means that it's possible, and you would never know for certain because the nature of this bug leaves zero evidence behind. It's better to be safe than sorry. Chrome users may also want to enable checking for server certificate revocation, as it is not enabled by default. EDIT: EDIT: Though there is also this: http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed But it's definitely a good idea to reissue your certs if at all possible. We reissued all of ours. https://www.cloudflarechallenge.com/heartbleed Private keys have successfully been extracted since their (and your) post. So it's definitely good to revoke and reissue them where possible. =P Caelum and Raz0r like this
Shadzy Posted April 12, 2014 Posted April 12, 2014 You don't need to re-issue your cert, you just need to update your SSL version. Also, I'm actually surprised you're purchasing a cert, seeing as how they're easily faked. Re-issue is necessary for complete solution.SSLs are faked? you mean self-signed? Or do you mean ones from SSL Providers are faked?
eezstreet Posted April 12, 2014 Posted April 12, 2014 I suppose it doesn't hurt, but it seems a bit excessive. Anyway, SSL certs are quite often faked/generated by people. Only super legit agencies (from what I've heard) actually purchase certs (dey so expensive)
Shadzy Posted April 13, 2014 Posted April 13, 2014 I suppose it doesn't hurt, but it seems a bit excessive. Anyway, SSL certs are quite often faked/generated by people. Only super legit agencies (from what I've heard) actually purchase certs (dey so expensive) Normal ones, not business grade, for one website usually <£150 a year if your looking right For the green bar that's excessive but worth it for big corporations, £500 a year, and for the true big heads like Google, BECOME THEIR OWN CertAuthroity! If your business defo worth it, or making some kind of revenue!! For other purposes, I would agree Eez
eezstreet Posted April 13, 2014 Posted April 13, 2014 I still think that's pretty excessive, but hey, people gotta get dat $$$ somehow.
Raz0r Posted April 20, 2014 Posted April 20, 2014 Cool explanation of Heartbleed with code examples http://www.youtube.com/watch?v=1dOCHwf8zVQ Cerez likes this
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now