Heartbleed (OpenSSL vulnerability)

Well, now we know why the NSA was building a giant datacenter to store other people's encrypted data.

garion333 wrote:

Obviously, since NSA has said they've used it then we know it was used, but now Cloudflare has backtracked and said they were wrong.

Technically, as far as I can tell the NSA denies having utilized it. Bloomberg's anonymous sources say otherwise. Both possibilities seem equally feasible to me. From my exposure to people from different realms of the 'infosec' world, it consists most of very loud people with large ego's that aren't very intelligent, with a few quiet people with very large ego's who are incredibly intelligent. And in general you should never believe anything any of them say until you can verify it yourself.

The 'at least 2 years' part is confusing to me. The buggy version of openssl wasn't released until March of 2012 ... the 'at least' implies they could have somehow been utilizing this vulnerability for longer than it has existed in the wild.

Or that there might be another vulnerability that has yet to be disclosed.

trueheart78 wrote:

Or that there might be another vulnerability that has yet to be disclosed.

The roll-your-own malloc thing seems to be a giant vulnerability catalyst.

Perhaps even more frustrating about this is the fact that most websites that were impacted have yet to respond in an email. Just placing a response on your website is not good enough if people do not know where to look. Facebook being one of the primary ones I am looking towards here.

Joost1 wrote:

Perhaps even more frustrating about this is the fact that most websites that were impacted have yet to respond in an email. Just placing a response on your website is not good enough if people do not know where to look. Facebook being one of the primary ones I am looking towards here.

The worst ones have been responding with a boilerplate "Our software uses SSL so your data is all perfectly secure!" Which is both clueless and misses the point.