[kwlug-disc] Heartbleed affected sites
Bob Jonkman
bjonkman at sobac.com
Fri Apr 11 17:44:00 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If your router is accessible from the WAN port via http then you have
more urgent problems than Heartbleed.
If a site has both http and https then there's no (new) vulnerability
with http, but a Heartbleed attack on https can still extract
passwords and other info.
To extract a password from an http session a bad guy needs to be a
man-in-the-middle, or sniffing the network (remember Firesheep?). To
extract a password with Heartbleed an attacker only has to initiate an
https session.
- --Bob.
On 14-04-11 05:35 PM, Khalid Baheyeldin wrote:
> But, wouldn't Heartbleed be an issue, only if you use SSL on the
> site? For example, if you have OpenWRT/Tomato/DD-WRT and logging
> via http (not https), then there is no exploit via OpenSSL?
>
>
> On Fri, Apr 11, 2014 at 3:26 PM, Bob Jonkman <bjonkman at sobac.com>
> wrote:
>
> If you're using a tool to check for Heartbleed vulnerabilities, be
> sure to check the Web interface on your router and/or modem as
> well.
>
> I'm not sure if router vendors are on top of this, but according
> to ssltest.py my Tomato/MLPPP Version 1.25-mp3alpha6 (from
> http://fixppp.org ) is not vulnerable, nor my Thomson Speedtouch
> modem with firmware 6.1.0.5
>
> Also, somebody asked me how safe these vulnerability checking
> tools are, especially the online and Javascript-based ones. What's
> to say they're not merely displaying "all is well", and actually
> compiling a list of vulnerable sites for later exploitation?
>
> --Bob.
>
>
> On 14-04-08 12:06 PM, Khalid Baheyeldin wrote:>
>>>> You can use this python tool ssltest.py to check if your
>>>> servers are vulnerable:
>>>>
>>>> $ wget -O ssltest.py "http://pastebin.com/raw.php?i=WmxzjkXJ"
>>>> $ python ssltest.py example.com
>
>
> On 14-04-11 10:51 AM, CrankyOldBugger wrote:
>>>> Mashable has a list going of sites affected by Heartbleed:
>>>>
>>>> http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/
>>>>
>>>>
>>>>
Don't forget to add Canada Revenue (and most other government
>>>> sites) to your list of passwords to change!
>
>
>
> Bob Jonkman <bjonkman at sobac.com> Phone: +1-519-669-0388
> SOBAC Microcomputer Services http://sobac.com/sobac/
> http://bob.jonkman.ca/blogs/ http://sn.jonkman.ca/bobjonkman/
> Software --- Office & Business Automation --- Consulting
> GnuPG Fngrprnt:04F7 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
>
>>
>>
>> _______________________________________________ kwlug-disc
>> mailing list kwlug-disc at kwlug.org
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>
>
>
>
>
>
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Ensure confidentiality, authenticity, non-repudiability
iEYEARECAAYFAlNIYh8ACgkQuRKJsNLM5erCjgCfZAuLyG8v83bORUxPxTvs14m+
r8kAoInhKmR99uQBN2cIt+2KY3xq4KMl
=6dTX
-----END PGP SIGNATURE-----
More information about the kwlug-disc
mailing list