Millions of Android Devices Vulnerable to Heartbleed Bug

For discussions about security.
Post Reply
Message
Author
User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

Millions of Android Devices Vulnerable to Heartbleed Bug

#1 Post by James C »

http://www.bloomberg.com/news/2014-04-1 ... d-bug.html

[quote]Millions of smartphones and tablets running Google Inc. (GOOG)’s Android operating system have the Heartbleed software bug, in a sign of how broadly the flaw extends beyond the Internet and into consumer devices.

While Google said in a blog post on April 9 that all versions of Android are immune to the flaw, it added that the “limited exception

bark_bark_bark
Posts: 1885
Joined: Tue 05 Jun 2012, 12:17
Location: Wisconsin USA

#2 Post by bark_bark_bark »

Android has never been safe, and you can blame that on Java.
....

gcmartin

#3 Post by gcmartin »

Here, another alert which suggest vulnerability. What should interest all of us is an explanation of how this 2 year item got there in the first place and which subsystems is it using for the breeches it is providing. I have seen much speculation and have witnessed several live reports from reporters with differing accounts on HeartBleed. Notice, that is this accounting, they share that old versions may have contracted HeartBleed.

:idea: Anyone, here, in this forum, want to use their own words to describe this bug and its manifestation? Could/Is HeartBleed in Puppy? :idea:

Anyone.

User avatar
mavrothal
Posts: 3096
Joined: Mon 24 Aug 2009, 18:23

#4 Post by mavrothal »

Here is a more realistic view of the issue
Security vendor CloudFlare further roiled the pot by issuing a challenge to hackers to steal a server's private encryption key using the Heartbleed bug. Fedor Indutny of Moscow took nine hours to obtain the key,
....
32 thousand requests per second from a single user is highly suspicious since that would be about 100x more than the fastest Internet connections allow a real user to use.
....
Also lost in the initial panic over the fact that two-thirds of websites use OpenSSL was any breakdown of how many of the servers were running a version actually affected by the flaw -- a figure that some put at 17 percent.
...
Attacking the client, you'll probably only get a few chances. You're not going to be able to do a million requests because, remember, you're not asking the client or initiating the connection to the client to pump the data out.
The rest is interesting too as well as the links therein.
== [url=http://www.catb.org/esr/faqs/smart-questions.html]Here is how to solve your[/url] [url=https://www.chiark.greenend.org.uk/~sgtatham/bugs.html]Linux problems fast[/url] ==

rokytnji
Posts: 2262
Joined: Tue 20 Jan 2009, 15:54

#5 Post by rokytnji »

Anyone, here, in this forum, want to use their own words to describe this bug and its manifestation? Could/Is HeartBleed in Puppy? Idea

Anyone.
https://www.ssllabs.com/

Use Test your Browser Button.

Mine.

SSL 2 handshake compatibility No
TLS compression No
Your user agent is not vulnerable.
Images Passive Yes
CSS Active No
Scripts Active No
XMLHttpRequest Active No
WebSockets Active No
Frames Active No
YMMV from mine.

gcmartin

#6 Post by gcmartin »

More information on this issue of Android 4.1.x, servers and OpenSSL

Hope this is helpful in understanding HeartBleed and its manifestation.

slavvo67
Posts: 1610
Joined: Sat 13 Oct 2012, 02:07
Location: The other Mr. 305

#7 Post by slavvo67 »

How do you read the SSLabs results?

Thanks

Post Reply