Bad news. A major vulnerability, known as āHeartbleed,ā has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But thisā¦
This is worrying. Not so much that steps arenāt being taken to fix it ā thatās the good part ā but the fact that this has apparently been around for two years.
Not that a threat like this is new (look at our discussion on RFIDs and credit cards), but it just goes to show you how even encryption can be beat. That something like 50% of the web uses this OpenSSL standard is worrying though, especially since you donāt know who might be attacked, or what types of data they might have.
I find myself thinking about just what information other sites besides Google could have on me, and itās difficult. Sometimes itās just a user name and password, sometimes itās a little more. Google probably tracks me the most, but that doesnāt mean that Iām perfectly fine on other sites too. Itās even hard to imagine what other sites there could be ā thereās Facebook and Twitter, the big ones; then I have ones like DeviantART or LiveJournal, which donāt have any real information about me but I still wouldnāt want that information floating out there just on sheer principle. I canāt even think of other sites right now since those are the big ones, but there probably are and Iām forgetting about them. Thatās not even getting into emails or Skype!
The point is, itās easy to think that your information is secure, but maybe it isnāt always that easy, and when you think about it, thereās a surprising amount of personal information floating about there, so the knowledge that that might be vulnerable is worrying.
Then again, everything about this class is a little worrying, isnāt it?
Iāve been hearing about this bug too, andĀ I find it worrying forĀ several of reasons.
This is the first time Iāve read anything about OpenSSL.Ā I am certainly not an expert on the internet, or internet security, but sometimes I am still surprised by how little I know about how the internet functions.Ā This, in itself, is worrying.Ā The internet plays a huge role in my life, andĀ Iāve disclosed lots of personal information to various online services.Ā I always assumed that if that particular website had solid security measures, my information would be safe- but this is evidently not the case.
I also find it really worrying that the attacks leave no trace- all kinds of personal information could be compromised, without anyone ever knowing there was an attack! In other security breaches, both on the internet and otherwise, there is usually some kind of evidence left behind.Ā I think this is the most worrying aspect, and will certainly make me think twice about disclosing information on the internet.Ā That being said, it is often unavoidable.Ā So I guess I will just hope for the best :)
I really hate how Tumblr works... just throwing it out there all these quotes within quotes when I just want to comment (not reblog)... glaring at you prof!!!
Anyways now that there is more research going into Heartbleed I think it is a big security risk and it is a big problem but it might not be as bad as people are prone to think. It is terrible because it has been undiscovered for two years... there is no way to know how much information has been compromised. Why I am saying it is not so terrible is because it is a bug and is not inherently malicious. It can be taken advantage of however when a person does take advantage of the bug they cannot guarantee what information they can gather. This bug does a random memory dump of a certain size I believe so important information can be stolen but it is not a guarantee. Also while individuals can have their information stolen and sessions hijacked the only way this bug could really be used advantageously is if a person was able to actually collect specific keys that could be used to decrypt internet traffic for a specific organization. The odds of this being done are long, still something to be aware of but not something to necessarily worry about.Ā















