Picked this up on another forum, doesn't really impact me much (I hope!) but I know others here run servers and may be interested:
2014
CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1. Reported by Neel Mehta.
Fixed in OpenSSL 1.0.1g (Affected 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1) (https://www.openssl.org/news/vulnerabilities.html#2014-0160)
and
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users. (http://heartbleed.com)
Updates have been rolled out, but one suggested action: "... revoking current keys and generating new ones might be a good idea."
tested idnet and a bunch of sites which all seem safe, including idnet.com. Not sure about modems and routers though, seems its best to turn off remote management which is fine in my router, no idea about BT's modem though as that is remotely managed for firmware updates from btor or btw whoever manages software on that. :fingers:
Things that might be affected include any SSL/TLS web server (https), openvpn, tor, mail servers and any other service that encrypts a link using SSL or TLS. (ssh uses a different mechanism altogether.)
Quote from: nowster on Apr 09, 2014, 09:21:06
Things that might be affected include any SSL/TLS web server (https), openvpn, tor, mail servers and any other service that encrypts a link using SSL or TLS. (ssh uses a different mechanism altogether.)
Theres a site that you can put links into to test, tbh im not wearing a tin foil hat over this as TOR suggest we dont use the internet till its sorted, where as most sites I use test fine already, not sure about the BTOR modem and my router though...although the latter had a firmware update yesterday. https://www.ssllabs.com/ssltest/ idnets mail servers seem ok
IDnet shows ok https://www.ssllabs.com/ssltest/analyze.html?d=idnet.net (https://www.ssllabs.com/ssltest/analyze.html?d=idnet.net)
Good explanation of how it works in today's XKCD comic: http://xkcd.com/1354/