Test for Heartbleed
Posted by Charles II on April 11, 2014
As you may know, a very basic vulnerability in the Internet has been discovered, one that may have permitted passwords to be stolen for up to two years. Kaspersky has recommended a test for servers here. The default is for Internet Exploder, but there is also a variant for Firefox and Chrome:
Luckily, there is a long list of popular websites that were checked against the vulnerability. Good news: PayPal and Google are unaffected. Bad news: Yahoo, Facebook, Flickr, Duckduckgo, LastPass, Redtube, OkCupid, 500px and many others was vulnerable. Get ready to act if you have an account on those vulnerable sites
Here’s a list of vulnerable sites.
Before you change passwords–which is what you need to do–make sure that the patch has been applied.
It would really help if the NSA would devote itself to fixing the Internet rather than spying on Americans. They’re the first ones to know about vulnerabilities, when they’re not creating them.
Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.
“In one of the new features, unfortunately, I missed validating a variable containing a length.”
After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Dr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.
Dr Seggelmann said the error he introduced was “quite trivial”, but acknowledged that its impact was “severe”.
One Response to “Test for Heartbleed”
Sorry, the comment form is closed at this time.