Heartbleed OpenSSL

[Futuza]

Don't forget to update to OpenSSL 1.0.1g if you use it.

 

Hats off to JKHub to having already fixed it/not been vulnerable in the first place.

[Circa]

You'll have to thank @@Caelum for that. 

[Shadzy]

Nice conversation about this, I am in the process of currently re-issuing all certificates I purchased!!!

 

Caelum IIS cant dodge the bullet IF THE SAME CERT is used on Apahce!

[eezstreet]

You don't need to re-issue your cert, you just need to update your SSL version. Also, I'm actually surprised you're purchasing a cert, seeing as how they're easily faked.

[Pande]

I don't understand this, does it affect me?

[Asulynn]

I don't understand this, does it affect me?

 

http://xkcd.com/1354/ This might help to explain it a little bit. It is a bug that has the potential of leaking all sorts of crucial and personal information, including passwords. Just to be cautious, you may wish to change your passwords, especially for popular sites that were most effected (a list here) and where you may have reused the same common password. This doesn't mean that your personal information was for sure confirmed leaked. It just means that it's possible, and you would never know for certain because the nature of this bug leaves zero evidence behind. It's better to be safe than sorry.

 

Chrome users may also want to enable checking for server certificate revocation, as it is not enabled by default.

 

 

 

EDIT:

 

EDIT: Though there is also this: http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed

 

But it's definitely a good idea to reissue your certs if at all possible. We reissued all of ours.

 

https://www.cloudflarechallenge.com/heartbleed Private keys have successfully been extracted since their (and your) post. So it's definitely good to revoke and reissue them where possible. =P

[Shadzy]

You don't need to re-issue your cert, you just need to update your SSL version. Also, I'm actually surprised you're purchasing a cert, seeing as how they're easily faked.

 

Re-issue is necessary for complete solution.

SSLs are faked? you mean self-signed? Or do you mean ones from SSL Providers are faked?

[eezstreet]

I suppose it doesn't hurt, but it seems a bit excessive. Anyway, SSL certs are quite often faked/generated by people. Only super legit agencies (from what I've heard) actually purchase certs (dey so expensive)

[Shadzy]

I suppose it doesn't hurt, but it seems a bit excessive. Anyway, SSL certs are quite often faked/generated by people. Only super legit agencies (from what I've heard) actually purchase certs (dey so expensive)

 

Normal ones, not business grade, for one website usually <£150 a year if your looking right

 

For the green bar that's excessive but worth it for big corporations, £500 a year, and for the true big heads like Google, BECOME THEIR OWN CertAuthroity!

 

If your business defo worth it, or making some kind of revenue!! For other purposes, I would agree Eez

[eezstreet]

I still think that's pretty excessive, but hey, people gotta get dat $$$ somehow.

[Raz0r]

Cool explanation of Heartbleed with code examples

 

http://www.youtube.com/watch?v=1dOCHwf8zVQ