Heartbleed Should Bleed X509 to Death


Recommended Posts

By Sean Doig Apr 9 2014
I?m not a cryptographer; nor am I a hard core C guru; nor have I invented some brilliant library that gives me street cred to talk about this stuff. I?m a nobody.

But I?m a nobody who cannot help but see the blinding reality of the vastness of the hole we have dug and continue to dig for ourselves.

For the unfamiliar, X.509 is the mechanism by which your web browser decides whether or not to make your padlock turn green on secure sites. Heartbleed is a recently exposed bug that has, and as of writing continues to, leak secrets from web servers all over the world - most of them, in fact. Secrets leaked include the very secrets attackers would use to trick that padlock into turning green when it should turn very red.

Source

Link to comment
Share on other sites

To be fair I have had friends asking if they had to change their passwords. Whats the point? If the bug isn't fixed its still going to be exploited. Scare mongering again. The server admins just need to patch the servers ...As they do all the time with EVERY other bit of software. This is the transition from Techs/Geeks into Userland. 

Link to comment
Share on other sites

users would know if it was safe to start updating passwords for those sites: https://lastpass.com/heartbleed

What I would like to see lastpass do, is have an option to go through my vault and tell me which of the sites are affected. I don't mind changing them but It would be much quicker to list what it already knows about as a first step.

Link to comment
Share on other sites

"What I would like to see lastpass do, is have an option to go through my vault and tell me which of the sites are affected"

 

^ for those that don't know where that listing came from, run the security test on your lastpass account

 

https://lastpass.com/?ac=1&securitychallenge=1

 

post-14624-0-71313300-1397134545.png

 

Not only will it show you the heartbleed info but lots of other good stuff to help secure you passwords, how many dupes you have - will check your emails in your vault against exploited lists, etc.

 

I would really suggest if your using lastpass - if your not why not?  It rocks for passwords ;)  You should be running the security test every couple of months.. Better your score!

Link to comment
Share on other sites

"What I would like to see lastpass do, is have an option to go through my vault and tell me which of the sites are affected"

 

^ for those that don't know where that listing came from, run the security test on your lastpass account

 

https://lastpass.com/?ac=1&securitychallenge=1

 

attachicon.gifsecuritycheck.png

 

Not only will it show you the heartbleed info but lots of other good stuff to help secure you passwords, how many dupes you have - will check your emails in your vault against exploited lists, etc.

 

I would really suggest if your using lastpass - if your not why not?  It rocks for passwords wink.png  You should be running the security test every couple of months.. Better your score!

 

This 2nd OpenSSL hole within a year has really caused me to think about using a password manager. The concern I have though is that it might lock me out of my own account on certain devices where I can't get to my keyfile.

 

It seems like I'd still need at least 3 separate passwords: 1 obviously for the password manager, 1 for my Live ID so I can log in to Windows without the password manager, and at least 1 more for the backup device that holds a backup copy of the key file. Is this the way to go?

 

I'm looking at KeePass right now since it's open source, not sure I can trust LastPass being proprietary AND in the US.

Link to comment
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.