A Gaping Hole in Internet Security?

Bob, Changing passwords on servers that haven't been patched probably doesn't help much, right? Supposedly, you can check the server with this to see if the fix has been done: http://filippo.io/Heartbleed/#google.com. Just enter the URL for the server and get a report.

After reading the article you wrote about Heartbleed software, I wonder if Microsoft sent out updates to XP computers today because of this information was just discovered?

EDITOR'S NOTE: Nothing you can do on your home computer will have any impact, except maybe for changing your online passwords. This is a web server issue.

have u noticed the increase in yahoo email accounts that were hacked recently, some over and over ... i'm wondering if it was related to this exploit..
otherwise how do they crack those passwords with all the captcha security on the yahoo email site???

Bob is the most sane perspective I have encountered for these kinds of issues, and is very real world. I appreciate that when so many play chicken little when it comes to security holes, in order to scare you into buying something.

As it happens I saw this yesterday in the Chicago Trib about 2 kids who brought some VERY DANGEROUS souvenirs home from England. Its very apropos. I would not advise trying what these kids did, it really is dangerous, but no one died, no one was injured, and the same is probably true of this latest vulnerability.

http://www.chicagotribune.com/news/local/breaking/chi-feds-confiscate-wwi-artillery-shells-at-ohare-from-teens-who-called-them-souvenirs-20140408,0,199829.story

An entire neighborhood was not devastated, but in 1972 in Hattiesburg, MS, a man was blown into little pieces after tinkering with such an artillery shell in his backyard. It does happen.

Bob, apparently the CRA, Canada Revenue Agency our income tax collector akin to your IRS, was affected, and they have shut down their servers today preventing on line submission of personal and business income tax forms. Our deadline in Canada is April 30th, and they have indicated that they will extend the deadline by as many days as it takes to secure their servers. They also said that private data was probably vulnerable and have instructed all who use the service to change their passwords as soon as the servers are back on line. Apparently 65% of Canadians file on line so this is a serious problem for them.

Thank you yet again Bob. Every time something like this comes up us everyday users can so easily be caught up in the FUD. Yours is, once again, the voice of common sense and reason. The more I read your column the more I find I am trusting you. Not that anyone is infallible of course, but you have really become my most frequent go to source for the true picture. Grateful thanks again.

Download Start Page,a Privacy Browser,it works with Google. Prevents this nasty,from getting access.

EDITOR'S NOTE: Once again, nothing you can do on your end will matter. It's a server problem, and only the webmaster or system admin can fix it.

Bob, there was a bulldozer driver killed in Germany in January and 7 killed in Thailand last week by exploding WW2 bombs

If you want to test your site for this vulnerability here is a link:
http://filippo.io/Heartbleed/

I've never used SSL as a vendor because it addresses a non-problem, namely theft of data in transit. All the compromises of credit card and other customer information on record have occurred while that data was sitting on an Internet-connected machine, not while it was being transmitted. This is just one more reason not to use SSL.

In your article about Heartbleed you mentioned that you never heard of an old ordinance actually causing harm. In fact, however, it has happened on several occaisions, see "Around the World" at http://en.wikipedia.org/wiki/Unexploded_ordnance .

HI BO ACCORDING TO WHAT I KNOW EVERY TIME YOU CHANGE YOUR PASSWORD THEY WILL KNOW ABOUT THE CHANGE AND USE YOUR CHANGED PASSWORD TO GET INTO YOUR ACCOUNT AS YOU SAID RIGHTLY THAT THE PROBLEM IS WITH THE
WEBSITE SERVER AND NOTHING YOU OR I CAN DO WILL MAKE NOT ONE BIT OF DIFFERENCE ONLY THE SERVER HAS TO FIND A PATCH AND FIX IT AND AS YOU SAY THAT THE FLAW WAS KNOWN SINCE 2011
AND YET NOBODY HAS YET FOUND A PATCH FOR IT AS OF TODAY AS FAR AS I KNOW IF YOU KNOW OF ANY COMPANY OR WEBSITE HAS FOUND A PATCH FOR IT PLEASE LET US ALL KNOW, , AS OF TODAY
REVUHE CANADA HAS SHUT DOWN ITS WEBSITE
SO NOBODY CAN EFILE OR NETFILE AS OF RIGHT NOW AND IF THE GOVERMENT OF CANADA KNOWING OF THE PROBLEM DID NOT FIND A SOLUTION AND LET US KNOW ONLY TODAY THAT SURE SPEAKS VOLUMES BYE FOR NOW

EDITOR'S NOTE: Yes, a fix has been available since Monday. Anyone who administers a web server will know where to find the fix and how to apply it. Details here: https://www.openssl.org/news/secadv_20140407.txt

I looked at the Netcraft site you included above and tested several sites that I use. Netcraft indicated several of the "popular sites" that use the affected TLS extension including Yahoo, Twitter, etc. They didn't mention the biggest (and therefore MOST popular) email site GMail. But when I tested with their tool, GMail uses the TLS extension. This just seems odd to me. Am I just being overly suspicious?

EDITOR'S NOTE: I don't see the connection. Google posted on Wednesday morning that Gmail and other Google services were already patched.

Well... There ARE WW2 bombs that DO explode:
http://www.dailymail.co.uk/news/article-2533304/German-construction-worker-killed-unexploded-World-War-Two-bomb-dug-trench-Digger-driver-dies-instantly-explosion-near-Bonn.html
and
http://edition.cnn.com/2014/04/03/world/asia/bangkok-world-war-2-bomb/

Kind regards and thank you for your fearless driving of the regretted Tourbus ;-)

Here's a really neat cartoon that describes how Heartbleed "works":

http://xkcd.com/1354/

Read the contents of each cartoon "bubble" carefully, especially the last panel. As I understand it, the bubble represents server memory and the Heartbleed bug tricks the server in displaying more memory contents than should be allowed (kind of a memory overflow).

The author of the xkcd site, Randall Munroe, is a physics graduate from CNU (Virginia) and has worked for NASA in robotics.

The word "heartbleed" is a pun based on the word "heartbeat" which is like a software stay alive command.
Little bit of perspective for the record books:
According to many newspapers and news agencies , Dr. Robin Seggelmann, a German software developer, is the one who unknowingly allowed this to happen, making what’s been dubbed as a rookie’s mistake. The bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said.
"In one of the new features, unfortunately, I missed validating a variable containing a length."
After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr. Seggelmann said, "so the error made its way from the development branch into the released version."
Dr. Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe".

You could blame Dr. Seggelmann , but he did this work for free, and for the open source community. You might assign blame to the whole OpenSSL organization, and the whole open source community. You can blame all the tech giants for missing this bug for so long, but it’s too late and blaming anyone will not help.