heartbleed [updated] 2014-04-11 16:23:05


[updated 2014-04-12 01:59]

Most of you will have heard about the Heartbleed Bug by now. Here is a quick overview and some useful links.

According to heartbleed.com (emphasis mine):

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.


- Felix

Comments


Ars Technica: Critical crypto bug in OpenSSL opens two-thirds of the Web to eavesdropping

Ars Technica: Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style

Ars Technica: Heartbleed vulnerability may have been exploited months before patch

Ars Technica: Researchers find thousands of potential targets for Heartbleed OpenSSL bug

Diagnosis of the OpenSSL Heartbleed Bug

Tor: OpenSSL bug CVE-2014-0160

LastPass Heartbleed checker

Schneier on Security: Heartbleed

Schneier on Security: More on Heartbleed

xkcd: Heartbleed

xkcd: Heartbleed Explanation

BBC: Heartbleed Bug: Tech firms urge password reset

Mashable: The Heartbleed Hit List: The Passwords You Need to Change Right Now

NYTimes: Experts Find a Door Ajar in an Internet Security Method Thought Safe

Tom's Guide: Heartbleed: Who Was Affected, What to Do Now

CNET: 'Heartbleed' bug undoes Web encryption, reveals Yahoo passwords

CNET: How to protect yourself from the 'Heartbleed' bug

CNET: Heartbleed bug: Check which sites have been patched

CNET: Heartbleed bug: What you need to know (FAQ)

EFF: The Bleeding Hearts Club: Heartbleed Recovery for System Administrators

EFF: Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?

Volkskrant (dutch): Heartbleed: ernstig lek in beveiligde internetverbindingen

Volkskrant (dutch): 'Heartbleed'-lek: deze wachtwoorden kunt u het best zo snel mogelijk wijzigen

Volkskrant (dutch): Internet in paniek om Heartbleed - maar hoe erg is het echt?

Q&A & Discussion

Hacker News: The Heartbleed Bug

Hacker News: OpenSSL Security Advisory: TLS heartbeat read overrun

Reddit: Heartbleed

Reddit Programming: The Heartbleed Bug

Stack Exchange: What should a website operator do about the Heartbleed OpenSSL exploit?

Stack Exchange: What should end-users do about Heartbleed?

Stack Exchange: Should I change all my passwords due to heartbleed

Stack Exchange: Does the heartbleed vulnerability affect clients as severely?

Services

Amazon: AWS Services Updated to Address OpenSSL Vulnerability

Bitbucket: All Heartbleed upgrades are now complete

GitHub: Security: Heartbleed vulnerability

Heroku: OpenSSL Heartbleed Security Update

MyKolab: Information on Heartbleed Bug & New SSL Certificate

npm and Heartbleed

PayPal: OpenSSL Heartbleed Bug - PayPal Account Holders are Secure

RubyGems.org's response to CVE-2014-0160 (heartbleed)

Trello and the Heartbleed OpenSSL Vulnerability

...