Announcement

Collapse
No announcement yet.

Heartbleed SSL bug not Kubu forums

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    [ENCRYPTION] Heartbleed SSL bug not Kubu forums

    As far as I have been able to ascertain Kubu forums is not vulnerable but the problem is:

    Facebook
    Yahoo ( some parts, not other parts)
    any of the HUNDREDS of other places that people may utilize on the net:

    Probably one should IMMEDIATELY change

    a) passwords
    b) change to two stage password
    c) in some sites change to "password and recognize an image".

    Heartbleed Wikipedia

    It is rather amazing that verious fora around the net have not mentioned this, but...

    the problem is not that one "runs Linux" and is therefore safe....

    "Linux people" also run cell phones, tablets, and also just go to places that have SSL encryption.

    I FULLY EXPECT THAT THERE ARE EXPERTS ON THE FORUM THAT WILL CHALLENGE THIS THREAD...

    I have been "out of" computer internet security since the demise of Castle Cops....

    But.... "Facebook/ANY OTHER CLOUD etc site" does not have anything to do with "running Linux"......

    Heartbleed the list from a day or so ago

    The problem is that there has already been a DEMONSTRATED intrusion....

    The Cloudflare Challenge demonstrates the vulnerability

    The big take away.....

    Running "Linux" here is IRRELEVANT.....the "password" on the site is what is important.

    It is suggested that people change their passwords, as this commenter has done for this site, even though the site has NOT shown vulnerabliity.

    cudos site mods.

    woodsmoke

    #2
    I don't think there can be a challenge to what is said. In this case it is an issue with SSL and not the OS that utilizes it. That has been my take on it. So yes, it isn't I run Linux and therefore safe as it is on the server side where the PW use is. Again, that is how I've read things.


    EDIT: Note: I'm not an expert so don't take my word for it!

    Comment


      #3
      The vulnerability is in the code that implements the TLS heartbeat extension in certain versions of the OpenSSL libraries. The version of OpenSSL used on the server hosting Kubuntu forums is not vulnerable. There is no need for our members to do anything.



      Specifically, a specially-crafted message could force a vulnerable service (usually a web server) using the affected OpenSSL libraries to reveal 64 KB of information stored in the service process's memory heap. Multiple messages could force the return of muliple 64 KB chunks. Within this data, an attacker may be able to find clear-text passwords, challenge/response pairs, private keys associated with certificates, or anything else that the service process has stored on its heap. Changing passwords on sites running the vulnerable version of OpenSSL is probably unnecessary, but if you're paranoid, it's not a bad thing to consider.

      Note that any operating system running the vulnerable versions of the OpenSSL libraries is affected. It has nothing to with being Linux or not Linux. Windows servers, for example, have a completely different SSL implementation called SChannel. SChannel is not affected by this vulnerability at all. However, if someone installed some other web server, like Apache Tomcat, on Windows, then the vulnerability may be present. Again, it depends on which version of the OpenSSL libraries are installed.
      Last edited by SteveRiley; Apr 18, 2014, 11:26 PM.

      Comment


        #4
        Thanks and that confirms it is on the server side and why it is up to those individuals that their software is up to date and then the process of SSL certificate reissues.

        Comment

        Working...
        X