Should I be concerned based on our proximity? 
I want to figure out how people were getting a complete private key back outâŚif they just keep a SSL/TLS session open or just keep creating new ones.
its all good player
It is in progress
Sooooooooo now what?
This?
[ATTACH=CONFIG]32238[/ATTACH]
more like this
Short 50,000ft overview:
Websites use SSL to encrypt connections. This relies on a secure key that the site uses to generate certificate that tells people, yes, this is the site you are looking for so you know going to your banks website, you are actually at your banks website and not someone trying to fake it.
Someone found a way to use this protocol and not only see what you are passing through it and decrypt usernames and passwords, but also dump that private key so essentially, could sign certificates and make their own websites that appear to be legit.
Wth. So how can one prevent this? How do I stop some middle aged man in a shirt and time sitting in a outdoor cafe from stealing my money?
Completely separate issue
The issue here is the code that was written to handle SSL had bug that let attackers read a bunch of random memory off the vulnerable serversâŚIt will be end up being patched on all major sites in the next few days.
Most of the US government is still on XP. The client we consult for just upgraded to Win 7 per EOL for XP. So many Government applications incompatible on Windows 7 itâs NOT even funny. âŚyeah it is
Update about Yahoo:
April 2nd post about yahoo efforts of encryption - http://yahoo.tumblr.com/
Latest update provided by yahoo:
Update: Yahoo has sent us a new statement. âOur team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now.â
Itâs cool Yahoo took that long I wonder how many passwords were lost
Yahoo accounts are compromised in droves pretty much all day every day anyway lol
Yeah, itâs pretty ridiculous that it took them so long to address this.
I see itâs finally hitting mainstream media todayâŚ
http://www.cnn.com/2014/04/08/tech/web/heartbleed-openssl/index.html?hpt=hp_t2
Which was worse, letting this bug linger or serving up malware via ads?
This bug is worse
Tons of people use the same creds for paypal as their yahoo email addresses
yeah no kidding. Iâm not sure what distro theyâre running, but surely theyâre doing centralized package/patch and configuration management. That should make it pretty easy to push the patch and restart their web servers.
Theyâre both bad
You now know too much! LOL I think I need to change all my passwords and get off PFsense.
Probably should change my Yahoo Password⌠yet againâŚ
Damn them for owning Flickr
Yahoo, Google, Microsoft, Amazon, etc were all affected.
Microsofts stuff doesnât even use OpenSSL unless its was some obscure MS site.
Microsofts Azure doesnât use OpenSSL and the people who found the bug work for Google :lol:
Yahoo dropped the ball hard on this one
Companies that havenât made improvements for some time are not as affected as companies who continue to update their encryption. This is why many of the larger tech companies are affected