Critical crypto bug in OpenSSL opens 2/3 of the Web to eavesdropping [merged]

“The bug, which is officially referenced as CVE-2014-0160, makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL version.” […]

OpenSSL also ships in a wide variety of operating systems and applications, including the Debian Wheezy, Ubuntu, CENTOS, Fedora, OpenBSD, FreeBSD, and OpenSUSE distributions of Linux.
Fixed in Ubuntu [url=]12.04[/url], [url=]12.10[/url], [url=]13.10[/url] and [url=]14.04[/url].

DSA-2896-1 openssl – security update: Debian Security Advisory
All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible

Since this exploit leaves no trace, people should change their private keys and replace their tls certificates as well. If people know your keys even though you patched openssl, then its no use.

SSL Labs Test for the Heartbleed Attack (SSL Labs)
Why the Web Needs Perfect Forward Secrecy More Than Ever (EFF)

Patching The Heartbleed OpenSSL Vulnerability (Sucuri Security)

Comodo Advises Customers and Partners to Patch Systems to Run the Latest Version of OpenSSL in Light of ‘Heartbleed’ Vulnerability.

link eff from jowa explain that clearly

The Bleeding Hearts Club: Heartbleed Recovery for System Administrators (EFF)

presto _ bingo : Thx JoWa.

The Heartbleed Hit List: The Passwords You Need to Change Right Now (Mashable)

“Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites.”


A Billion Smartphone Users May Be Affected by the Heartbleed Security Flaw (Forbes)


Official Page

‘HeartBleed Checker’

Chrome heartbleed extention


Revocation checking is in the news again because of a large number of revocations resulting from precautionary rotations for servers affected by the OpenSSL heartbeat bug. However, revocation checking is a complex topic and there's a fair amount of misinformation around. In short, it doesn't work and you are no more secure by switching it on. […]
[url=]No, don't enable revocation checking[/url] (Adam Langley)

Thx JoWa

Don’t know if that really fits here…

For Firefox users there is an addon called cipherfox, which allows you to at least disable RC 4 encryption for all sites.

Kind regards, REBOL.



The latest version of Cipherfox (3.7.2) obviously has a bug (i.e. parsing error).
Until fixed, i’d rather recommend to continue using version 3.7.1 which you can get here:

Kind regards, REBOL. :slight_smile:

:slight_smile: :-TU