News - Heartbleed bug makes web users concerned and confused

**HEXUS** · 10-04-2014, 11:12 AM

But there are two simple steps, as recommended by Kaspersky, for users to follow.

**DemonHighwayman** · 10-04-2014, 11:41 AM

The link for heartbleed test page isn't working

**mtyson** · 10-04-2014, 12:22 PM

sorry, link is fixed now

**McEwin** · 10-04-2014, 12:40 PM

Does anyone else see the irony in calling it *Open*SSL...?

**Gh0sty** · 10-04-2014, 03:48 PM

I use lastpass and with in a day they had built in a vulnerability check that checks all the sites I have stored to see if they were affected or not. Cant beat that for customer service!

**Heisenberg** · 10-04-2014, 08:58 PM

Originally Posted by Gh0sty

I use lastpass and with in a day they had built in a vulnerability check that checks all the sites I have stored to see if they were affected or not. Cant beat that for customer service!

I also use LastPass now thanks to a friend, can't live without it.

**watercooled** · 10-04-2014, 11:38 PM

Oh a slight detour from the well-covered direct impact of this flaw, I wonder if this will be a sufficient kick up the rear to get the fragmented mess of certificate revocation sorted?

As has been alluded to elsewhere, I can see any potentially stolen certificates being used in combination with MITM and/or DNS redirection to create some pretty convincing phishing websites.

I found a test page from Verisign, to see how various browsers respond: https://test-sspev.verisign.com:2443...risign.html‎
Firefox, IE and Chrome on desktop all call foul play and refuse to allow the connection, as you'd hope, but Chrome on Android doesn't even complain and just displays the page.

Upon further reading, it seems even Chrome and FF only really scrutinise EV certificates, and will happily accept 'standard' certificates without complaining: http://news.netcraft.com/archives/20...-practice.html

IMNSHO, the difference between standard and EV shouldn't be one of 'up-to-spec security' and 'wide open to pwnage if the certificate is stolen', and that strikes me as quite irresponsible at best.

I've not looked into whether that test site is EV or standard (although I assume the former), but either way, at least the Chrome Android fails quite spectacularly, and IMO this really isn't a trivial matter in light of recent events.

Any thoughts?

**mack_5991** · 11-04-2014, 01:10 AM

Does anyone have a list of affected sites ?

**Jonj1611** · 11-04-2014, 02:24 AM

It says in the story :/

**fatguy666** · 11-04-2014, 08:51 AM

Meh, it's not like I've got any money so the only thing I'd be worried about is losing access to steam.

ZaO · 14-04-2014, 12:46 AM

Thankyou! Great article! I was wondering how the hell to know which sites I needed to change passwords for, and when to change them. This should make it easier

Thread: News - Heartbleed bug makes web users concerned and confused

LinkBack

Thread Tools

News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Received thanks from:

Re: News - Heartbleed bug makes web users concerned and confused

Received thanks from:

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Re: News - Heartbleed bug makes web users concerned and confused

Thread Information

Users Browsing this Thread

Posting Permissions