It’s potentially much, much worse than that. They include the signing keys that web sites use to make "https:" addresses work. So the bad guys can in principle pretend to be https://your-bank.com and steal not just your credit card number but everything. Note that not every bank would have been affected; weirdly enough, if you hadn’t got around to updating your crypto libraries recently, you’re OK (but some would, for sure). So what happened was, geeks everywhere worked all night last night to replace the old keys with new keys. So what we’re hoping is that no really bad bad guy noticed the problem before the good guys did and got in there and stole some keys and stole some credit card numbers and wreaked havoc, before the good guys re-locked the barn door last night. But we won’t know for a while.
On Tue, Apr 8, 2014 at 8:22 AM, John Sessoms <[email protected]> wrote: > Do those secrets include CREDIT CARD DATA from on-line purchases? > > > On 4/8/2014 1:53 AM, Tim Bray wrote: >> >> Summary: A programming error allows bad guys to steal secrets on a >> HUGE number of websites; geeks are working late all over the internet >> closing the barn doors. We won’t know for a while how bad the damage >> has been. >> >> On Mon, Apr 7, 2014 at 7:14 PM, John Sessoms <[email protected]> >> wrote: >>> >>> Just out of curiosity for the rest of us ... WTF? >>> >>> >>> On 4/7/2014 8:13 PM, Tim Bray wrote: >>>> >>>> >>>> In the unlikely event that any of you run https-enabled web sites and >>>> haven’t visited heartbleed.com today, get thee over there post-haste >>>> and find out what version of OpenSSL you’re running and consider >>>> replacing your certs, stat. >>>> >>>> I’m not sure I’ve ever seen a more damaging zero-day. >>>> > > -- > PDML Pentax-Discuss Mail List > [email protected] > http://pdml.net/mailman/listinfo/pdml_pdml.net > to UNSUBSCRIBE from the PDML, please visit the link directly above and > follow the directions. -- PDML Pentax-Discuss Mail List [email protected] http://pdml.net/mailman/listinfo/pdml_pdml.net to UNSUBSCRIBE from the PDML, please visit the link directly above and follow the directions.
