This is day three since heartbleed bug was publicly announced. Anyone working in IT responsible for web servers generally were scrambling throughout yesterday to get things patched up unless they're oblivious to what's happening in the world. It's even been reported in local news as major sites have been announced as vulnerable. Those who keep up with HackerNews and other sites have known about this since the 7th and many had got things patched right away, so long as they were running a newer version of Ubuntu or Debian. Other distribution updates appeared on the 8th.
Now because this is so wide spread as seen in this Netcraft report released yesterday, it's not an easy problem to solve. The only fix is to recompile openssl from code with a patch or get to the latest 1.0.1 release, neither of which are exactly trivial for all systems.
To put it in simple terms, websites running newer openssl that is unpatched are less secure than non-SSL protected sites. Expoiting typical HTTP requires one to be on the same network, to execute a man in the middle attack, or to compromise the client or server. Exploiting heartbleed bug, requires a script found on the Internet and an Internet connection. Worst part: It's untraceable! There are no logs of these attempts on the server. A random 64byte data from server memory is returned from vulnerable services. From what I've read, it's whatever the running program employing openssl with TLS/DTLS has access to. This means private key for Apache, Nginx, and other applications not to mention any transactional data and application data that is in memory. This also means past SSL data captured can be decrypted should the private key be compromised.
What doesn't seem to be affected is SSH server for once, since SSH doesn't use TLS/DTLS.
For more details, visit heartbleed.com
By now, all supported Linux distributions should have had their patches out. So if you are not up to the latest version and have restarted all your services that uses openssl, GET IT DONE!!!!!
Comment from: TooMeeK [Visitor]
My website is down due to.. lack of activity.
However, I’m still here! :D
Yeess.. we get pached all openssl services right away the issue was discovered..
I’m running new mail server, so don’t hestiate to test it!!!
Comment from: phoeniXfury [Member]
haha…yeah. Did you also squash that Bash and SSLv3 bug too? Fun times this year.
I’m super busy so nothing new written for a while. I’ll try to write a couple by the end of the year hopefully if I find the time.