![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 | Archive 4 |
I like the last paragraph that explains what providers (hardware and software) have learned from the Heartbleed stealth and evil attack. But there are also lessons that could be noted concerning what Internet users have learned. How can we be more vigil? What have we learned? A new concluding section could be added, or noted elsewhere in the article herein. — Charles Edwin Shipp ( talk) 01:01, 20 April 2014 (UTC)
I've removed this [1] for a number of reasons. First of all, it is original research to connect it to this article's topic. It doesn't even mention Heartbleed. See WP:SYN. Second, it is poorly sourced. Citing press releases is usually not a good idea. Instead we should rely on third-party reliable sources which have a reputation for accuracy and fact-checking. Third, it is out of date and was written before Heartbleed. A Quest For Knowledge ( talk) 06:08, 21 April 2014 (UTC)
Headine-1: Heartbleed Will Require Rehab
QUOTE: “Security experts worldwide have deemed the so-called Heartbleed bug one of the most dangerous security flaws ever to crop up on the Web. While we don't know the full extent of Heartbleed's menace, the bug has the potential to cause catastrophic data breaches. When news of Heartbleed broke, Internet users were advised to change all their online passwords as a precaution, and enterprise IT security teams scrambled to neutralize the immediate threat by applying a patch. But like many serious conditions, the real danger posed by the Heartbleed bug is longer term and much more quiet than the initial hoopla might suggest. ” ["Patches are just band-aids. Heartbleed's long-term effects will force companies to reassess how they deploy and manage technology."] — Charles Edwin Shipp ( talk) 14:24, 21 April 2014 (UTC) — PS: FYI for future editing.
Headine-2: Why Heartbleed May be more Troubling for Healthcare.gov in the Long Run
QUOTE: “Users of HealthCare.gov are being asked to change their passwords due to the federal exchange’s potential vulnerability to the Heartbleed security flaw, and the warning is troubling, analysts say, as medical information is hotter than ever for criminals looking to make a quick profit.” [Helathcare.gov and relating Obamacare websites and methodologies were never known for tight security!] — Charles Edwin Shipp ( talk) 00:27, 23 April 2014 (UTC) — PS: FYI for future editing.
Headine-3: The U.S. Needs to Stop Running Internet Security Like a Wikipedia Volunteer Project
QUOTE: “ One lesson of the Heartbleed bug is that our government is paying to undermine Internet security, not to fix it.” [Comment-1: The left-handed compliment to Wikipedia is interesting; Comment-2: There is more to security than passwords—such as encrypted-transmission. Comment-3: This article is headlined for Google News; Comment-4: The last paragraph of the Article herein (WP) covers this aspect, to some extent.] — Charles Edwin Shipp ( talk) 11:54, 23 April 2014 (UTC) — PS: FYI for future editing.
I just wanted to mention that Security Now has been providing some excellent, in-depth coverage of this topic:
A Quest For Knowledge ( talk) 23:15, 23 April 2014 (UTC)
It would be interesting to include an approximation of the cost of Heartbleed. According to [3], "Even if there hasn’t been any malicious exploitation of the bug, the costs of people’s time will likely run into the hundreds of millions of dollars." There aren't details on how that was computed. I wonder if this is realistic. -- Chealer ( talk) 20:07, 20 April 2014 (UTC)
Regrettably, I am removing the XKCD 1354 explanation of the bug. We really can't replace a suitably licensed drawing with non-free content and then claim that "no free equivalent is available, or could be created, that would serve the same encyclopedic purpose." as our policy WP:NFCC demands in criteria 1. Furthermore, the reduced resolution image that was uploaded isn't even legible. If it were up to me, I'd allow NC content and tag it so commercial users would be warned not to copy it, but it is not up to me and attempts to change the policy have failed in the past. Maybe the author could be persuaded to release this strip under a compatible license, but absent that it can't stay.-- agr ( talk) 10:17, 18 April 2014 (UTC)
Here's a rough draft of a simplified version of the graphic I've done so far, integrating the content of the original graphic with the conversation style of the xkcd comic. Let me know what you think.
svg version (Should be easy to edit with Inkscape)
– FenixFeather (talk) (Contribs) 01:06, 20 April 2014 (UTC)
So after a lot of problems I've finally managed to upload a proper svg to commons. Let me know what you all think! – FenixFeather (talk) (Contribs) 03:20, 20 April 2014 (UTC)
Looking pretty good. But with the above image, there needs to be a label on what is what. Tutelary ( talk) 04:29, 20 April 2014 (UTC)
A discussion at the end of the article summarizing Dan Kaminsky's opinion says,
This is misleading. The Wall Street Journal article which Kaminsky cited says,
I'm not disputing that OpenSSL has historically had a very small budget. But there's a big difference between "less than $1 million", "$2000", "$841", and "$841 in the last 3 days". The summary of Kaminsky's opinion should be revised to accurately reflect OpenSSL's actual budget and donations. -- Bigpeteb ( talk) 20:27, 28 April 2014 (UTC)
The concluding paragraph is bogus. There are tons of bugs in proprietary software too. [5] OpenSSL is rather crufty though. The OpenBSD team is overhauling it, but who know if the extensive changes will introduce more bugs. Best practice is probably to use the "engine" feature to put the sensitive crypto operations into a separate process, and there's at least one big installation planning to move to that approach, but I don't have an RS for that yet. There may be some general security principles we can quote from, e.g. from Ross Anderson's book. [6] 70.36.142.114 ( talk) 03:04, 20 April 2014 (UTC)
I've reverted this good faith edit because the explanation ("does not actually test whether Heartbleed is present on a given site") doesn't apply to what the test does. Of course, it doesn't address whether Heartbleed isn't on any particular site. That's not what it does. Instead, it tests whether a browser checks whether an SSL certificate has been revoked. Heartbleed allows hackers to steal SSL certificates. Even if the website revokes the stolen certificate, if the browser doesn't check whether it was revoked, the browser will report the revoked certificate as legitimate. This test was specifically created because of the Heartbleed bug. According to Netcraft, only 30,000 of the 500,000+ SSL certificates affected by the Heartbleed bug have been reissued up until today, and even fewer certificates have been revoked. [7] A Quest For Knowledge ( talk) 02:08, 20 April 2014 (UTC)
Wait, what are you guys arguing about? AQFN, what edit did you revert at the top of the section? I remember seeing a CRL checker mentioned in the section about heartbleed tests. I'd say a CRL checker is definitely not a heartbleed test and should not be described as one, but it's arguably relevant to the article anyway, so there is a case for including it as part of info about cert revocation. Cert revocation itself should be mentioned in the article (including whatever sourcing can be found about whether it's a good or bad idea) since it's being recommended by some as a response to Heartbleed. Actually, if anyone has a revoked certificate that they can still serve, it might be interesting to show a screen shot of a browser responding to an OCSP failure. 70.36.142.114 ( talk) 19:41, 20 April 2014 (UTC)
Lastpass, the company, owns Lastpass Password Manager. It was from a direct blogpost from them, describing that Lastpass Password Manager was vulnerable. Per WP:PRIMARY, this is a sufficient reference, and we do not need another one. Also, the entries below it use primary sources as well, and I don't see you tagging them as 'needing another reference'. Specific text; A primary source may only be used on Wikipedia to make straightforward, descriptive statements of facts that can be verified by any educated person with access to the primary source but without further, specialized knowledge.. Tutelary ( talk) 22:19, 25 April 2014 (UTC)
Chealer, I second those above who point out that a company can't be vulnerable to a SSL bug—only a particular web service, in this case Lastpass's password vault service, can. The official blog post seems perfectly clear to me—the servers running their service were initially vulnerable to the bug before being patched. I'm removing the "dubious" tag.— Neil P. Quinn ( talk) 04:02, 28 April 2014 (UTC)
Note that fact that the passwords were stored in a particular vault doesn't matter in regards to vulnerabilities on other websites and so I removed what to me seems like a redundant bit of advice, which might better besides some other statements of recommendations of password changes. That said I like Tutelary's rewrite as it avoids the implication that it is the channel between lastpass and other sites that was the problem. That said we have several sentences and sources quoted as saying stuff like "People should take advice on changing passwords from the websites they use."
, People should take advice on changing passwords from the websites they use.
, The following sites have services affected or made announcements recommending that users update passwords in response to the bug
, Platform maintainers like the Wikimedia Foundation advised their users to change passwords.
already spread though out the article, so it does feel a bit redundant to say just a few sentences similar sentences that same thing again. We also seem to be missing stuff that was covered by several sources about how such vaults help with recovery after such an incident? For example:
Tools are now widely available that will store and organise all your passwords and PIN codes for computers, apps and networks. They can also generate passwords and can automatically enter your username and password into forms on websites.
Such tools store your passwords in an encrypted file that is accessible only through the use of a master password. Examples of such services include KeePass, LastPass and 1Password.— Jane Wakefield, BBC News - Heartbleed bug: What you need to know
If I recall there were several news articles extolling the virtues of such managers as part of there converge. PaleAqua ( talk) 21:11, 30 April 2014 (UTC)
That said we have several sentences and sources quoted as saying stuff like
"People should take advice on changing passwords from the websites they use.",People should take advice on changing passwords from the websites they use.,The following sites have services affected or made announcements recommending that users update passwords in response to the bug,Platform maintainers like the Wikimedia Foundation advised their users to change passwords.already spread though out the article, so it does feel a bit redundant to say just a few sentences similar sentences that same thing again.
Unfortunately, this article (like much of the information currently available online as of 5/8/14) misses some very important aspects of the HeartBleed bug. Among them:
I will begin the process of adding extra information (yes with references) to the article, to ameliorate this. Mr Pete ( talk) 19:58, 8 May 2014 (UTC)
I'm removing the following sentence from the lead:
Apple recommends embedding OpenSSL in client applications when necessary for compatibility; as a result, Apple's FileMaker software required a fix.
Although FileMaker did require a fix as mentioned in the Impact section, the relation doesn't warrant treatment in the lead in my opinion and the sentence could be misunderstood. The need to fix FileMaker itself is in fact the result of a combination of circumstances:
At most, Apple's recommendation could have been a factor in 2. -- Chealer ( talk) 19:55, 10 May 2014 (UTC)
![]() | This is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page. |
Archive 1 | Archive 2 | Archive 3 | Archive 4 |
I like the last paragraph that explains what providers (hardware and software) have learned from the Heartbleed stealth and evil attack. But there are also lessons that could be noted concerning what Internet users have learned. How can we be more vigil? What have we learned? A new concluding section could be added, or noted elsewhere in the article herein. — Charles Edwin Shipp ( talk) 01:01, 20 April 2014 (UTC)
I've removed this [1] for a number of reasons. First of all, it is original research to connect it to this article's topic. It doesn't even mention Heartbleed. See WP:SYN. Second, it is poorly sourced. Citing press releases is usually not a good idea. Instead we should rely on third-party reliable sources which have a reputation for accuracy and fact-checking. Third, it is out of date and was written before Heartbleed. A Quest For Knowledge ( talk) 06:08, 21 April 2014 (UTC)
Headine-1: Heartbleed Will Require Rehab
QUOTE: “Security experts worldwide have deemed the so-called Heartbleed bug one of the most dangerous security flaws ever to crop up on the Web. While we don't know the full extent of Heartbleed's menace, the bug has the potential to cause catastrophic data breaches. When news of Heartbleed broke, Internet users were advised to change all their online passwords as a precaution, and enterprise IT security teams scrambled to neutralize the immediate threat by applying a patch. But like many serious conditions, the real danger posed by the Heartbleed bug is longer term and much more quiet than the initial hoopla might suggest. ” ["Patches are just band-aids. Heartbleed's long-term effects will force companies to reassess how they deploy and manage technology."] — Charles Edwin Shipp ( talk) 14:24, 21 April 2014 (UTC) — PS: FYI for future editing.
Headine-2: Why Heartbleed May be more Troubling for Healthcare.gov in the Long Run
QUOTE: “Users of HealthCare.gov are being asked to change their passwords due to the federal exchange’s potential vulnerability to the Heartbleed security flaw, and the warning is troubling, analysts say, as medical information is hotter than ever for criminals looking to make a quick profit.” [Helathcare.gov and relating Obamacare websites and methodologies were never known for tight security!] — Charles Edwin Shipp ( talk) 00:27, 23 April 2014 (UTC) — PS: FYI for future editing.
Headine-3: The U.S. Needs to Stop Running Internet Security Like a Wikipedia Volunteer Project
QUOTE: “ One lesson of the Heartbleed bug is that our government is paying to undermine Internet security, not to fix it.” [Comment-1: The left-handed compliment to Wikipedia is interesting; Comment-2: There is more to security than passwords—such as encrypted-transmission. Comment-3: This article is headlined for Google News; Comment-4: The last paragraph of the Article herein (WP) covers this aspect, to some extent.] — Charles Edwin Shipp ( talk) 11:54, 23 April 2014 (UTC) — PS: FYI for future editing.
I just wanted to mention that Security Now has been providing some excellent, in-depth coverage of this topic:
A Quest For Knowledge ( talk) 23:15, 23 April 2014 (UTC)
It would be interesting to include an approximation of the cost of Heartbleed. According to [3], "Even if there hasn’t been any malicious exploitation of the bug, the costs of people’s time will likely run into the hundreds of millions of dollars." There aren't details on how that was computed. I wonder if this is realistic. -- Chealer ( talk) 20:07, 20 April 2014 (UTC)
Regrettably, I am removing the XKCD 1354 explanation of the bug. We really can't replace a suitably licensed drawing with non-free content and then claim that "no free equivalent is available, or could be created, that would serve the same encyclopedic purpose." as our policy WP:NFCC demands in criteria 1. Furthermore, the reduced resolution image that was uploaded isn't even legible. If it were up to me, I'd allow NC content and tag it so commercial users would be warned not to copy it, but it is not up to me and attempts to change the policy have failed in the past. Maybe the author could be persuaded to release this strip under a compatible license, but absent that it can't stay.-- agr ( talk) 10:17, 18 April 2014 (UTC)
Here's a rough draft of a simplified version of the graphic I've done so far, integrating the content of the original graphic with the conversation style of the xkcd comic. Let me know what you think.
svg version (Should be easy to edit with Inkscape)
– FenixFeather (talk) (Contribs) 01:06, 20 April 2014 (UTC)
So after a lot of problems I've finally managed to upload a proper svg to commons. Let me know what you all think! – FenixFeather (talk) (Contribs) 03:20, 20 April 2014 (UTC)
Heartbleed in action, as a table
| ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Looking pretty good. But with the above image, there needs to be a label on what is what. Tutelary ( talk) 04:29, 20 April 2014 (UTC)
A discussion at the end of the article summarizing Dan Kaminsky's opinion says,
This is misleading. The Wall Street Journal article which Kaminsky cited says,
I'm not disputing that OpenSSL has historically had a very small budget. But there's a big difference between "less than $1 million", "$2000", "$841", and "$841 in the last 3 days". The summary of Kaminsky's opinion should be revised to accurately reflect OpenSSL's actual budget and donations. -- Bigpeteb ( talk) 20:27, 28 April 2014 (UTC)
The concluding paragraph is bogus. There are tons of bugs in proprietary software too. [5] OpenSSL is rather crufty though. The OpenBSD team is overhauling it, but who know if the extensive changes will introduce more bugs. Best practice is probably to use the "engine" feature to put the sensitive crypto operations into a separate process, and there's at least one big installation planning to move to that approach, but I don't have an RS for that yet. There may be some general security principles we can quote from, e.g. from Ross Anderson's book. [6] 70.36.142.114 ( talk) 03:04, 20 April 2014 (UTC)
I've reverted this good faith edit because the explanation ("does not actually test whether Heartbleed is present on a given site") doesn't apply to what the test does. Of course, it doesn't address whether Heartbleed isn't on any particular site. That's not what it does. Instead, it tests whether a browser checks whether an SSL certificate has been revoked. Heartbleed allows hackers to steal SSL certificates. Even if the website revokes the stolen certificate, if the browser doesn't check whether it was revoked, the browser will report the revoked certificate as legitimate. This test was specifically created because of the Heartbleed bug. According to Netcraft, only 30,000 of the 500,000+ SSL certificates affected by the Heartbleed bug have been reissued up until today, and even fewer certificates have been revoked. [7] A Quest For Knowledge ( talk) 02:08, 20 April 2014 (UTC)
Wait, what are you guys arguing about? AQFN, what edit did you revert at the top of the section? I remember seeing a CRL checker mentioned in the section about heartbleed tests. I'd say a CRL checker is definitely not a heartbleed test and should not be described as one, but it's arguably relevant to the article anyway, so there is a case for including it as part of info about cert revocation. Cert revocation itself should be mentioned in the article (including whatever sourcing can be found about whether it's a good or bad idea) since it's being recommended by some as a response to Heartbleed. Actually, if anyone has a revoked certificate that they can still serve, it might be interesting to show a screen shot of a browser responding to an OCSP failure. 70.36.142.114 ( talk) 19:41, 20 April 2014 (UTC)
Lastpass, the company, owns Lastpass Password Manager. It was from a direct blogpost from them, describing that Lastpass Password Manager was vulnerable. Per WP:PRIMARY, this is a sufficient reference, and we do not need another one. Also, the entries below it use primary sources as well, and I don't see you tagging them as 'needing another reference'. Specific text; A primary source may only be used on Wikipedia to make straightforward, descriptive statements of facts that can be verified by any educated person with access to the primary source but without further, specialized knowledge.. Tutelary ( talk) 22:19, 25 April 2014 (UTC)
Chealer, I second those above who point out that a company can't be vulnerable to a SSL bug—only a particular web service, in this case Lastpass's password vault service, can. The official blog post seems perfectly clear to me—the servers running their service were initially vulnerable to the bug before being patched. I'm removing the "dubious" tag.— Neil P. Quinn ( talk) 04:02, 28 April 2014 (UTC)
Note that fact that the passwords were stored in a particular vault doesn't matter in regards to vulnerabilities on other websites and so I removed what to me seems like a redundant bit of advice, which might better besides some other statements of recommendations of password changes. That said I like Tutelary's rewrite as it avoids the implication that it is the channel between lastpass and other sites that was the problem. That said we have several sentences and sources quoted as saying stuff like "People should take advice on changing passwords from the websites they use."
, People should take advice on changing passwords from the websites they use.
, The following sites have services affected or made announcements recommending that users update passwords in response to the bug
, Platform maintainers like the Wikimedia Foundation advised their users to change passwords.
already spread though out the article, so it does feel a bit redundant to say just a few sentences similar sentences that same thing again. We also seem to be missing stuff that was covered by several sources about how such vaults help with recovery after such an incident? For example:
Tools are now widely available that will store and organise all your passwords and PIN codes for computers, apps and networks. They can also generate passwords and can automatically enter your username and password into forms on websites.
Such tools store your passwords in an encrypted file that is accessible only through the use of a master password. Examples of such services include KeePass, LastPass and 1Password.— Jane Wakefield, BBC News - Heartbleed bug: What you need to know
If I recall there were several news articles extolling the virtues of such managers as part of there converge. PaleAqua ( talk) 21:11, 30 April 2014 (UTC)
That said we have several sentences and sources quoted as saying stuff like
"People should take advice on changing passwords from the websites they use.",People should take advice on changing passwords from the websites they use.,The following sites have services affected or made announcements recommending that users update passwords in response to the bug,Platform maintainers like the Wikimedia Foundation advised their users to change passwords.already spread though out the article, so it does feel a bit redundant to say just a few sentences similar sentences that same thing again.
Unfortunately, this article (like much of the information currently available online as of 5/8/14) misses some very important aspects of the HeartBleed bug. Among them:
I will begin the process of adding extra information (yes with references) to the article, to ameliorate this. Mr Pete ( talk) 19:58, 8 May 2014 (UTC)
I'm removing the following sentence from the lead:
Apple recommends embedding OpenSSL in client applications when necessary for compatibility; as a result, Apple's FileMaker software required a fix.
Although FileMaker did require a fix as mentioned in the Impact section, the relation doesn't warrant treatment in the lead in my opinion and the sentence could be misunderstood. The need to fix FileMaker itself is in fact the result of a combination of circumstances:
At most, Apple's recommendation could have been a factor in 2. -- Chealer ( talk) 19:55, 10 May 2014 (UTC)