Mercury Rising 鳯女

Politics, life, and other things that matter

Test for Heartbleed

Posted by Charles II on April 11, 2014

As you may know, a very basic vulnerability in the Internet has been discovered, one that may have permitted passwords to be stolen for up to two years. Kaspersky has recommended a test for servers here. The default is for Internet Exploder, but there is also a variant for Firefox and Chrome:

Luckily, there is a long list of popular websites that were checked against the vulnerability. Good news: PayPal and Google are unaffected. Bad news: Yahoo, Facebook, Flickr, Duckduckgo, LastPass, Redtube, OkCupid, 500px and many others was vulnerable. Get ready to act if you have an account on those vulnerable sites

Here’s a list of vulnerable sites.

Before you change passwords–which is what you need to do–make sure that the patch has been applied.

It would really help if the NSA would devote itself to fixing the Internet rather than spying on Americans. They’re the first ones to know about vulnerabilities, when they’re not creating them.

Via Ars Technica, an interview in the Sydney Morning Herald with the software developer who is responsible for Heartbleed:

Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Dr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.

Dr Seggelmann said the error he introduced was “quite trivial”, but acknowledged that its impact was “severe”.

About these ads

One Response to “Test for Heartbleed”

  1. Thanks for this, Charles.

    http://www.motherjones.com/kevin-drum/2014/04/heartbleed-sucking-chest-wound-nsas-reputation

Sorry, the comment form is closed at this time.

 
%d bloggers like this: