Author Topic: Heartbleed  (Read 713 times)

0 Members and 2 Guests are viewing this topic.

Plane

  • Hero Member
  • *****
  • Posts: 26993
    • View Profile
  • Liked:
  • Likes Given: 0
Heartbleed
« on: April 11, 2014, 06:38:55 PM »

http://imgs.xkcd.com/comics/heartbleed_explanation.png

http://xkcd.com/



Apparently this backdoor has been exploitable for years , it might have allowed access to very sensitive personal and financial information , was it recently discovered?

Or has it been quietly exploited for quite a while?

Xavier_Onassis

  • Hero Member
  • *****
  • Posts: 27916
    • View Profile
  • Liked:
  • Likes Given: 0
Re: Heartbleed
« Reply #1 on: April 12, 2014, 05:33:48 PM »
I like xkcd, but this explanations does not make sense.
"Time flies like an arrow; fruit flies like a banana."

Plane

  • Hero Member
  • *****
  • Posts: 26993
    • View Profile
  • Liked:
  • Likes Given: 0
Re: Heartbleed
« Reply #2 on: April 12, 2014, 10:40:05 PM »
I like xkcd, but this explanations does not make sense.


I am not an expert programmer, nor much of a programmer at all, so anyone that knows a better explanation should help me here.

On "secure socket" protocol ,which is used by a lot of banks and other secured internet connections, there is a periodic "handshake " which is called "heart beat".

   While the connection is open each machine will ask the other to repeat a short word or phrase and specifies the length of the word or phrase. When the heartbeat does not get a reply the connection is over.

    The hack was to connect and start the heartbeat as normal , but to ask for a greater length of reply than the heartbeat word.

    When the heartbleed hack worked, the server would reply with the requested word and the additional length of the request was filled with whatever the server had in its buffers , whatever random things it had just recently done. So if it had just recorded a password change this would be captured by the hacker.

    This technique is not going to work anymore , all of the responsible banks and credit cards that use the secure socket know now to plug this leak.

    What we do not really know is when this vulnerability was first discovered ,nor do we know who might have found how much for how long , very quietly bleeding passwords since when? 

Xavier_Onassis

  • Hero Member
  • *****
  • Posts: 27916
    • View Profile
  • Liked:
  • Likes Given: 0
Re: Heartbleed
« Reply #3 on: April 13, 2014, 08:28:59 PM »
My ebay password, which was also my yahoo password, was hacked. And no, it was not "password" or 123456. It was a combination of letters and numbers. This was about two years ago. I lost nothing as a result, and then I invented more complicated passwords.

I was baffled by the request for HAT (500 letters)
"Time flies like an arrow; fruit flies like a banana."

Plane

  • Hero Member
  • *****
  • Posts: 26993
    • View Profile
  • Liked:
  • Likes Given: 0