- This topic is empty.
-
Posts
-
I am sharing a comment made by Nicholas Dionysopoulos of AkeebaBackup.com about the Heartbleed bug. It worth a reading it become a mass hysteria engineered by security companies.
“The Heartbleed bug may spit out the private key. OK, so now what? You need a dump of the entire SSL/TLS session, INCLUDING the handshake. This is where knowing the secret key will allow you to decrypt the browser’s public key. Now you need to decrypt all data posted by the browser and hopefully isolate the username and password. For every user session. For every server and key. If you want to hack the entire Internet you need massive resources, of NSA scale. But these guys pwned us in so many ways already, no need to worry about yet another attack vector they MIGHT have used against SOME of us at some point in time,
Yes, Heartbleed is super severe. You know when? In targeted attacks against high-value targets. If you were a political dissident and hoped that SSL would protect you against an oppressive regime you’re probably fucked. Same if you are a terrorist. Same if you are a CEO of a Fortune 500 company. But for us small people, well, not really.
No, I am not saying it shouldn’t be patched. I am saying that the mass hysteria which is summed up as “ZOMG! WE AREE ALL HACKED! CHANGE ALL YOUR PASSWORDS BECAUSE THEY ARE COMPROMISED!” is unwarranted. Changing the SSL certificates on a tiny site that sells ceramic tiles is unnecessary cost. You get the idea or do I have to spell it out? You are duped into spending money you needn’t spend. “
