Computers & Internet Heartbleed

Remove this Banner Ad

Log in to remove this ad.

I thought it was about some virus that eats at your heart until you die, opened it and saw it was some computer mumbo-jumbo that I don't understand. Not concerned.
 
For those unaware SSL (Secure Sockets Layer) is a form of cryotgraphy use to transport data across a network - most commonly the internet. If you are communicating with a web site over SSL you'll notice HTTPS (as opposed to HTTP) in the browser. Your bank, facebook, twitter or any web site with any sort of decent revenue should be using SSL. Essentially what happens is when you access a site all the data that gets sent back and forth will be encrypted. When it gets to other end it will be decrypted and either displayed by your web browser, or processed by the web server depending on which direction the data is going.

When a website doesn't use SSL (such as bigfooty) all the data that gets sent across the network will be in plaintext. This data includes your username and password when you enter it. If someone was to run a program like wireshark which is able to watch traffic that passes through any network it's connected to. And yes this works, I've run wireshark on my home network and logged onto bigfooty and was able to see my username and password in amongst the data.

I really can't make it any less technical than that.

So yeah it's a pretty concerning issue for anyone who values their privacy... but most people don't so it will pass over 95% of people. SSL is one of the cornerstones of Internet Security and given how many people have relied on it for security it's a bit of a worry because it's really not known how exploited this bug was (maybe it was hardly exploited at all).

I always push for the open source community so it's disappointing that this has happened, but in some respects it shows the value of the Open Source community because they were able to pick it up - albeit extremely delayed.

Companies who use proprietary SSL software... It may be secure, it may not be. There is just no way for people to know so you're purely relying on them to be honest in their dealings.
 
The Passenger said:
For those unaware SSL (Secure Sockets Layer) is a form of cryotgraphy use to transport data across a network - most commonly the internet. If you are communicating with a web site over SSL you'll notice HTTPS (as opposed to HTTP) in the browser. Your bank, facebook, twitter or any web site with any sort of decent revenue should be using SSL. Essentially what happens is when you access a site all the data that gets sent back and forth will be encrypted. When it gets to other end it will be decrypted and either displayed by your web browser, or processed by the web server depending on which direction the data is going.

When a website doesn't use SSL (such as bigfooty) all the data that gets sent across the network will be in plaintext. This data includes your username and password when you enter it. If someone was to run a program like wireshark which is able to watch traffic that passes through any network it's connected to. And yes this works, I've run wireshark on my home network and logged onto bigfooty and was able to see my username and password in amongst the data.

I really can't make it any less technical than that.

So yeah it's a pretty concerning issue for anyone who values their privacy... but most people don't so it will pass over 95% of people. SSL is one of the cornerstones of Internet Security and given how many people have relied on it for security it's a bit of a worry because it's really not known how exploited this bug was (maybe it was hardly exploited at all).

I always push for the open source community so it's disappointing that this has happened, but in some respects it shows the value of the Open Source community because they were able to pick it up - albeit extremely delayed.

Companies who use proprietary SSL software... It may be secure, it may not be. There is just no way for people to know so you're purely relying on them to be honest in their dealings.
Click to expand...

LOL, thank god you understand it.

Do you think our true identities will be revealed on BF?

Funny-UglyMan.jpg
 
The only thing I was really worried about was my Steam account, and I changed my password as soon as they fixed the issue.
 
The Passenger said:
For those unaware SSL (Secure Sockets Layer) is a form of cryotgraphy use to transport data across a network - most commonly the internet. If you are communicating with a web site over SSL you'll notice HTTPS (as opposed to HTTP) in the browser. Your bank, facebook, twitter or any web site with any sort of decent revenue should be using SSL. Essentially what happens is when you access a site all the data that gets sent back and forth will be encrypted. When it gets to other end it will be decrypted and either displayed by your web browser, or processed by the web server depending on which direction the data is going.

When a website doesn't use SSL (such as bigfooty) all the data that gets sent across the network will be in plaintext. This data includes your username and password when you enter it. If someone was to run a program like wireshark which is able to watch traffic that passes through any network it's connected to. And yes this works, I've run wireshark on my home network and logged onto bigfooty and was able to see my username and password in amongst the data.

I really can't make it any less technical than that.

So yeah it's a pretty concerning issue for anyone who values their privacy... but most people don't so it will pass over 95% of people. SSL is one of the cornerstones of Internet Security and given how many people have relied on it for security it's a bit of a worry because it's really not known how exploited this bug was (maybe it was hardly exploited at all).

I always push for the open source community so it's disappointing that this has happened, but in some respects it shows the value of the Open Source community because they were able to pick it up - albeit extremely delayed.

Companies who use proprietary SSL software... It may be secure, it may not be. There is just no way for people to know so you're purely relying on them to be honest in their dealings.
Click to expand...

I dont like quoting big chunks of text but that is a damn fine explanation. Cheers for that!
 
what i didn't address above is the bug itself. this is a little more technical but hopefully understandable.

SSL is a protocol. A protocol is a method of communication over a network. They one everyone is most familiar with is HTTP (Hyper Text Transfer Protocol) which is used to to serve websites. OpenSSL is an implementation of the SSL protocol that is widely used. OpenSSL is the only implementation effected by heartbleed, and only a specific version of OpenSSL (1.1). There are 3 stable versions of OpenSSL - 1.1, 1.0 and 0.9. From what I've read it's estimated 20% of HTTPS web sites on the internet are using OpenSSL 1.1.

As with any form of encryption SSL uses a key. Only the communicating devices know this key. You can think of it like a house key. Only you have the key to your house so only you can get in (legally). Same here - only the devices have the key so only they can encrypt and decrypt the messages back and forth.

This heartbleed bug is - under the right circumstances, which appear quite easy to replicate now that its known - leaking bits of memory from the OpenSSL application. This includes content, but most importantly the key a server is using to communicate with. It's only leaking 64kb at a time (each heartbeat as they are calling it) which isn't much but over time you could build a profile of a server and eventually replicate their cryptographic key which would enable you to impersonate the service.

Gasometer said:
Do you think our true identities will be revealed on BF?
Click to expand...
your secret identity is safe with me
 

(Log in to remove this ad.)

You must log in or register to reply here.

Remove this Banner Ad

Back
Top