On Mon, 07 Apr 2014 21:36:28 -0400, Nick Sabalausky
<[email protected]> wrote:
On 4/7/2014 7:28 PM, w0rp wrote:
http://heartbleed.com/
This bug has been getting around. The bug was caused by missing bounds
checking.
I'm glad to be using a language with bounds checking.
Whelp, time for that server system upgrade I've been putting off for far
too long...
In theory, patching openSSL doesn't solve the problem, because someone
could have previously used the vulnerability to get your private key.
So technically you need to also get a new cert. This is what my
password-generation vendor (lastpass.com) is recommending:
1. Generate a new password for your most critical sites.
2. But only after they get a cert dated after today!
I don't think many people understand this aspect.
Hopefully, this vulnerability was not known by hackers before it was
announced. Even if it was, there is quite a window of opportunity for them
as the patched sites roll out.
-Steve
