So,
OpenSSL is fucked. By extension, Apache and nginx are as well. This has been in the wild for 2 years, was disclosed yesterday, and patched yesterday as well. TL;DR: it may be possible to dump the memory from a server, revealing
private encryption keys, user credentials, or content. That is basically the internet nightmare scenario.
One thing I find curious: if this has been in the wild for two years, paranoid minds might assume that some high-value targets have been compromised. Why haven't I gotten any emails from my bank/hosting provider/platypus-enthusiasts-social network to change my passwords?
On the bright side, the FRCF doesn't use SSL, so our credentials are uh, safe, or something.
Comments
Is this the worst security bug ever? Worst I can think of at least.
http://www.theverge.com/us-world/2014/4/11/5606524/hacker-successfully-uses-heartbleed-to-retrieve-private-security-keys
What is Scientific Linux???
(I know what it is I just hadn't heard of it till today).