Several media outlets reported a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f (inclusive) called “The Heartbleed Bug,” on April 7, 2014. This represents a serious Web security flaw that may compromise privacy. Please see the following news articles and websites which describe the issue in greater detail:
- The Heartbleed Bug
- The Heartbleed Bug Explained
- Critical Crypto Bug in OpenSSL Opens Two-Thirds of the Web to Eavesdropping
- What You Need to Know About Heartbleed, A Really Major Bug That Short Circuits Web Security
- Experts Find a Door Ajar in an Internet Security Method Thought Safe
If you run a Web server with SSL (specifically OpenSSL 1.0.1 through 1.0.1f), it is recommended that you patch the software immediately and upgrade to OpenSSL 1.0.1g. If you’re stuck with a previous version of OpenSSL for some reason, you can block the vulnerability by re-compiling it using the OPENSSL_NO_HEARTBEATS flag. OpenSSL 1.0.2 will have the bug fixed in the upcoming 1.0.2-beta2 release. If you do not know what version of SSL you are running, go to https://sslanalyzer.comodoca.com and enter your site’s URL to find out if the site is vulnerable.
Additionally, if you have contracted with any vendors who use SSL, please contact them immediately to find out if they have applied the current patches and to find out what other steps may be required.
One of the side effects of this vulnerability is that the server private key may be compromised and there may be no trace of it. In this case, after patching, please generate new keypairs and request a new certificate. DoIT will provide a new Comodo/Incommon certificate to its Stony Brook IT Partners at no cost if they just email the CSR to certreq@stonybrook.edu.
DoIT is actively monitoring the situation here at Stony Brook and has contacted its vendors about any vendor-supplied software.
Stony Brook’s SOLAR, PeopleSoft, Blackboard, and Google Apps for Education systems are not affected by this vulnerability. Other systems accessed with your Stony Brook NetID and NetID password are not affected.
Individual users may want to consider changing the passwords on all their sensitive Internet accounts, such as banking accounts, private email accounts, and any accounts created for online shopping with the use of credit card information. However, the New York Times Bits blog suggests waiting a day or two to allow time for websites to get patched.
DoIT has created a public Yammer group to provide the campus community with updates as this situation unfolds and develops. Please post your questions and comments to the Heartbleed Bug Info Yammer group.
FYI … Patrick Iannuccilli posted on Yammer today that “due to increased volume of certificate requests, there will be a delay in getting new certificates through InCommon.”
Have you ever heard of the term “crypto bug”? This is a computer error that can happen when your system tries to execute code in an encrypted form. If you are looking for updates about crypto visit more https://myinvestmentmindset.com/. It’s important for developers to know how to identify this type of bug, and what they need to do if it happens on their system. Fortunately, we have compiled a list below for easy access!
Mudra Exchange is India’s foremost secure crypto exchange platform, including SSL, TSL, and other cybersecurity elements.
http://www.mudra.exchange