Changes between Version 10 and Version 11 of heartbleed


Ignore:
Timestamp:
Apr 9, 2014, 12:13:07 PM (10 years ago)
Author:
Jamie McClelland
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • heartbleed

    v10 v11  
    1919
    2020 * All May First/People Link members are encouraged to change your passwords by going to this web site: https://members.mayfirst.org/changepass
    21  * Please be careful of phishing attacks! Please do not enter your password into any site that does not have the lock icon (or starts with https) and ends with mayfirst.org. You may receive emails over the next few weeks warning about this problem and encouraging you to enter your password on illigitimate web sites. Please carefully check the address of any site asking for your mayfirst.org password.
     21 * Please be careful of phishing attacks! Please do not enter your password into any site that does not have the lock icon (or starts with https) and ends with mayfirst.org. You may receive emails over the next few weeks warning about this problem and encouraging you to enter your password on illegitimate web sites. Please carefully check the address of any site asking for your mayfirst.org password.
    2222 * If you have a web site that uses https and you have purchased a certificate, please [wiki:faq/security/get-certificate generate a new key and obtain a new certificate].
    2323'''Questions'''
     
    3333''Do I have to generate a new key?''
    3434
    35 We strongly recomment that you do. However, it's your choice and you may decide that it's not worth the effort. The vulnerability allowed an attacker to read the memory used by the web server. If nobody attempted to exploit the server your web site is running on during the period in which the server was vulnerable, then there is no reason to generate a new key or be worried about compromised data. On the other hand, if someone attempted to exploit ''any'' web site on your server (even if it's not your own web site), then your data may have been compromised. It is trivial to write a simple program to scan web sites for this vulnerability and it's likely that some people knew about the problem prior to it becoming public.
     35We strongly recommend that you do. However, it's your choice and you may decide that it's not worth the effort. The vulnerability allowed an attacker to read the memory used by the web server. If nobody attempted to exploit the server your web site is running on during the period in which the server was vulnerable, then there is no reason to generate a new key or be worried about compromised data. On the other hand, if someone attempted to exploit ''any'' web site on your server (even if it's not your own web site), then your data may have been compromised. It is trivial to write a simple program to scan web sites for this vulnerability and it's likely that some people knew about the problem prior to it becoming public.
    3636
    3737'''Additional Information and Notes'''
    3838
    39 According to the web site [http://heartbleed.org heartbleed], openssl is the most popular encryption library. And, arstechnica estimates [http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ it is used by 2/3 or all web sites].
     39According to the web site [http://heartbleed.org heartbleed], openssl is the most popular encryption library. And, Arstechnica estimates [http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ it is used by 2/3 or all web sites].
    4040
    4141For still more info: