Results 1 to 8 of 8

Thread: Heart Bleed bug...

  1. #1
    Senior Member willingtocope's Avatar
    Join Date
    Jun 2010
    Location
    Pleasant Hill Iowa
    Posts
    1,097

    Heart Bleed bug...

    http://krebsonsecurity.com/2014/04/h...cryption-keys/

    Oh yeah, unix and Linux is secure...

  2. #2
    Quote Originally Posted by willingtocope View Post
    http://krebsonsecurity.com/2014/04/h...cryption-keys/

    Oh yeah, unix and Linux is secure...
    openssh is a library, compiles on unix and windows.

  3. #3
    Senior Member willingtocope's Avatar
    Join Date
    Jun 2010
    Location
    Pleasant Hill Iowa
    Posts
    1,097
    Didn't say windows servers weren't at risk also. Merely pointing out that's here's a MAJOR security flaw that affects Apache also.

    Incidentally, according to http://filippo.io/Heartbleed/ the Rutgers.edu servers seem okay. Probably not using SSL?

  4. #4
    Android phones are also vulnerable to this from what I heard on NPR. Not sure about iPhones...

    (KLD)

  5. #5
    Quote Originally Posted by willingtocope View Post
    Rutgers.edu servers seem okay. Probably not using SSL?
    If you don't see https:// leading the URL of a site, it's not using SSL.

    Quote Originally Posted by SCI-Nurse View Post
    Android phones are also vulnerable to this from what I heard on NPR. Not sure about iPhones...
    It's not about what devices are vulnerable. It's about the security of any data transmitted over secure layers.

  6. #6
    Senior Member willingtocope's Avatar
    Join Date
    Jun 2010
    Location
    Pleasant Hill Iowa
    Posts
    1,097
    Quote Originally Posted by -scott- View Post
    If you don't see https:// leading the URL of a site, it's not using SSL.


    It's not about what devices are vulnerable. It's about the security of any data transmitted over secure layers.
    I should have said Rutgers.edu port 443 seems okay.

    And...its not the users device or browser that's in trouble...its the software running the site server.

  7. #7
    Quote Originally Posted by SCI-Nurse View Post
    Android phones are also vulnerable to this from what I heard on NPR. Not sure about iPhones...

    (KLD)
    "All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners)."

    http://googleonlinesecurity.blogspot...o-address.html

  8. #8
    Senior Member zagam's Avatar
    Join Date
    Jan 2007
    Location
    Western Australia - Hammer wielding daemon
    Posts
    619
    Heart bleed is an exploit of a TLS extension in OpenSSL. Debian stable fixed this quickly. https://www.debian.org/security/2014/dsa-2896

    GnuTLS is different. We were using the free GnuTLS for public facing services using our certs. I have root and install mostly GPL stuff.

    Quote Originally Posted by willingtocope View Post
    unix and Linux is secure
    Unless root administrator is a fool. It is actually provably secure.

    With certain distros that fool made and signed packages using broken OpenSSL. If the web shop you visited uses broken OpenSSL or public stores (such as injectable SQL) then check your credit card statements.

    Note that Unix security model is local and multi user. They did a network model in Plan9.

    Another popular system can never be secure. Any data needs to be excluded from any privacy policy if its on Windows. You should tell people the truth about what you are doing with their data such as placing it on public stores (RDBMS or Microsoft Windows).

    Though Mac have the Unix brand Apple have moved away from the proven model since OSX 10.4. If compromised Apple may not have a solution that won't break everything. If they used the Unix model they would have a solution if their root administrator made a mistake.

    That is why I boot Debian GNU/Linux on my MacBook except when I just want to surf Java/Flash sites.

    Network Failure System Version 4 or never ratified by POSIX ACLs are not the way to fix Berkeley sockets. See Plan9.

Similar Threads

  1. sp bleed
    By vjls in forum Care
    Replies: 3
    Last Post: 04-10-2013, 09:54 PM
  2. Spontaneous bleed
    By keps in forum Care
    Replies: 3
    Last Post: 05-19-2005, 02:07 AM
  3. Spontaneous bleed
    By keps in forum Announcements & Feedback
    Replies: 1
    Last Post: 05-18-2005, 02:29 PM
  4. Spontaneous Bleed
    By TC in forum Care
    Replies: 6
    Last Post: 11-05-2001, 01:51 PM
  5. Spinal Bleed
    By Jal in forum Care
    Replies: 2
    Last Post: 08-28-2001, 06:25 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •