What is heartbleed ?

There has been a lot of discussion is happening over the internet but no one is providing proper information.Does any one have information out there?

 

I don't usually don't discuss techie stuff on here as I'm likely to make a fool of myself but...Heartbleed has been around for about 2 years. It doesn't have a trace. It was first detected by Google and verified by Codenumicon.
What the bug basically does is give the hacker the ability to gain data from the server you regularly use.(Facebook/Gmail etc.) An open SSL is *supposed* to give you a secure line when e-mailing or chatting on IM, but in reality thanks to this bug that is no longer the case. On the positive side it is possible that this security flaw was never discovered by hackers so....do you wish to be an optimist and say that it hasn't, or? You can change all your passwords but that's about it.

 

That pretty much sums it up.

But, before you change a password, though, check that the server has actually been patched (otherwise a hacker could potentially still be watching the packets and gain the new password). I have been using this one, which seems to mostly work well:
filippo.io/Heartbleed/

Oh - and it is what is called a "man in the middle" exploit; that means there needs to be something between the server and client to inspect the packets.

The exploit relies upon a vulnerable version of OpenSSL being compiled with heartbeats enabled.

Any sites that had "perfect forward secrecy" enabled won't have been vulnerable (or at least since they enabled it). Take a look at:
https://www.eff.org/deeplinks/2014/04/why-web-needs-perfect-forward-secrecy

Google is one company that has been using this for Gmail, secure search and other services since about November 2013.

Finally, @jobsbywork there is plenty of "proper information". Search Google, Bing, DuckDuckGo, or whatever you prefer, and you will find a ton of information easily.

 

Uhm... not quite guys... Simply changing passwords will NOT plug the hole if it exists on your system.

Basically all heartbleed does is let you find out someone else's 'private' certificate so that you can view someone else's SSL communications (HTTPS, SSL Pop3/IMAP/SMTP) as if it wasn't secured. Admittedly, it can be used to see your passwords, so change them anyways -- but that's not what it DOES; changing your passwords does jack shit if the vulnerability is still there for them to just lather-rinse-repeat your tuchas all over again!

You need to patch your copy of OpenSSL up to the latest version (something that should be done anyways) and then re-issue the part that is ACTUALLY compromised -- your SSL certificates. That either means getting a new certificate (if using a real 'trusted' source) or regenerating your private/untrusted one AFTER. You should also enable what's called "dual authentication" since only one side of OpenSSL was compromised.

Couldflare has a decent blog entry on it.
http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued

Most major "trusted" cert issuers are sending new ones.... it's actually causing a pretty hefty spike in CRL traffic.

http://blog.cloudflare.com/the-heartbleed-aftermath-all-cloudflare-certificates-revoked-and-reissued

But again, until you are sure you are updated to the latest openSSL and using new certs, changing your passwords isn't gonna do a blasted thing as you'd still be vulnerable to the same attack all over again. If you don't know what that means or what it entails, you probably shouldn't be managing a server.

 

This is quoted from this post I read - http://www.interworx.com/community/openssl-vulnerability-strikes-heart-online-security/ "The Heartbleed bug — officially known as CVE–2014–0160 — is the result a defect in OpenSSL’s implementation of the SSL protocol’s heartbeat function. The heartbeat function is a simple addition to the protocol that allows the machines involved in a SSL connection to send a message to each other requesting a response to verify that the other party is still available. Unfortunately, it’s possible to craft the heartbeat message so that the responding server will transmit the contents of a portion of its memory to the originating server. The vulnerability is so serious because it allows an attacker access to information in RAM that may contain private keys and other critical data. With the private keys, an attacker could potentially decrypt all further communication with that server." Hope this helps.

 

Heartbleed bug is basically an encryption flaw that is found in websites that use Open SSL encryption to secure the online data of their customers. the problem is that these SSL encryption protocols have been highly flawed and taking its advantage, hackers have been able to crack into these protocol servers. Heartbleed bug has allowed these cyber criminals to secretly gain access to the encryption keys of these SSL encrypted servers, copy all the critical data and then use it for the fulfillment of their malicious and heinous intentions. It is a vulnerability and weakness of internet technology that has allowed such high risk threat to nourish. The sad truth is that a large number of giant websites like Facebook, Airbnb and Gmail, that we use almost every day have also been the victim of this nuisance.

 

Yes, cyber-criminals like homeland securty, the FBI, the NSA, and pretty much every other alphabet soup organization out there.

 

How to test if your server is vulnerable with heartbleed?

You can test it using these following URLs.

possible.lv/tools/hb/
https://filippo.io/Heartbleed/

 

You may fine more information regarding the heartbleed and how to prevent them over here
http://secureservernow.com/forum/ma...penssl-heartbleed-vulnerability-cve-2014-0160