Question:
Heartbleed - traffic required?
PFuller
2014-04-19 18:53:00 UTC
Trying to make sure I understand one aspect of the Heartbleed vulnerability correctly... For your information to get compromised, you need to actually have used the site while the vulnerability existed, right? It's not my password stored in a database that's exposed, but the traffic created when I visit the website? In other words, if I registered at some website 3 years ago and haven't returned since, I've got nothing to worry about from that site?

Thanks.
Three answers:
Jamie
2014-04-19 19:18:48 UTC
Like Dustin said, from what I understand about the Heartbleed bug, one must actually visit the website in question in order for their data to become compromised.



Below is a link to a Wikipedia article about the Heartbleed bug, which you may want to check out.



http://en.wikipedia.org/wiki/Heartbleed



Additionally, below is a link to an episode of the Security Now! podcast, from the TWiT Netcast Network, where the Heartbleed bug is discussed by Leo Laporte and Steve Gibson.



http://twit.tv/show/security-now/450



However, it wouldn't be a bad idea to change your passwords anyway, especially on the websites that were affected by the Heartbleed bug, just to be safe.



Best of luck and I hope I helped you!
Herp Derp
2014-04-20 03:34:31 UTC
Whenever you open a session with a server, the SSL was leaking 56kB of data every second or so. Because everytime the server would ping to see if you are still there (We call this a heartbeat) then RANDOM data would be leaked. The data is encrypted but if the hacker that was probing this were lucky enough to get their encryption key from a heartbeat... They could decrypt all the data that they got from that server's database. (Passwords, Documents, Pictures, etc.)



This bug has been in effect for about 2 years now.



Anything in that server's database can be theirs if they are lucky.
Anonymous
2014-04-20 02:04:55 UTC
You are correct. From what i understood the vulnerability exploits the Ram of the server to get the info.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...