Change Your Passwords

50Twuncle

wigglebeena wrote: »

You can test here. https://www.ssllabs.com/ssltest/index.html

What banks are safe? Why are none of them making any reference or announcement on their sites?

Coventry are sending Emails to all customers - informing them that they are unaffected !!

securityguy

bobblebob wrote: »

No need to panic over this. All the banking websites ive seen dont have the exploit anyway.

And remember this has been exploitable for 2 years now. Chances are if anyone was exploiting it on a mass scale we would know about it by now

The bug only affects people who have built applications with OpenSSL 1.0.1 through to 1.0.1f. That's pretty much the definition of Linux fanbois dabbling with the bleeding edge (ie, not banks). Banks are unlikely to be using OpenSSL on customer-facing devices anyway, but even if they are, they aren't doing it on bleeding-edge Linux releases. As an example, although not one likely to be running banking systems, OSX 10.9.2, the most recent release, still ships with OpenSSL 0.9.8y (of course, Apple's own applications are built against their own SSL stack, which is not without its own issues). Solaris 11.1, which is arguably more likely to be used in banking, ships with 1.0.0j. Amongst the researchers I work with we were kicking around the issue of embedded devices (set-top boxes, that sort of thing), but (a) they don't run 1.0.1 and (b) often they don't even use OpenSSL, because PolarSSL is much more attractive for small devices. Some of Google applications were built with it (what was that about bleeding-edge Linux fanbois?) but from what I understand of their architecture even if there had been active exploits (which the general consensus is "there hadn't") the pickings would have been pretty meagre.

The bug is present on Android Jelly Bean, but exploiting it would require that the attacker force you to visit their website; once they've done that it actually quite difficult to think of why they would need to exploit this particular bug. If you're the 0.00001% of the userbase who uses client-side certificates it's potentially nasty, but otherwise someone who can force your SSL session to connect to device they control can do most of the bad things anyway.

As a software engineer, I'm worried by this bug: it's the third "people writing crypto code proving that open-source doesn't get a lot of free code review" problem, where you have to ask just what is being done to audit changes. It's not as nasty as 2008's Debian/OpenSSL bug, which was probably exploited, or the aformentioned "goto fail" problem that Apple had, both of which were discoverable by looking at the source, the latter particularly easily. The claim's made that open source benefits from Eric Raymond's "many eyes make all bugs shallow", but that presumes they're looking for a known bug: those many eyes seem to be a lot less effective at reviewing code that appears to be working.

But as a security researcher, my gut feel is that exploits weren't in the wild. The people that found it are really hardcore, and have very, very sharp tools that they haven't released. It's possible that another, black-hat, group found it and quietly exploited, but if I had to place bets, I'd take pretty short money on "they didn't".

ukmike

What banks are safe? Why are none of them making any reference or announcement on their sites?

When i logged into my Lloyds account today it had a message saying their site is safe & no need to change my password.