Heartbleed: why you should care

Transcript

1. Heartbleed why you should care

2. C J Silverio devops at npm @ceejbot

3. what's heartbleed?

4. security vulnerability disclosed April 7 2/3rds of all secure servers

5. OpenSSL the secure 's' in https://

6. heartbeat a pulse from a client to a server &

   back

7. Alice ⇢ ping ⇢ Bob Alice ⇠ pong ⇠ Bob

8. Alice lies: “pong is 64K letters.”

9. Bob trusts her. He sends Alice too much data.

10. that data is the bleed in heartbleed

11. what leaked?

12. Everything. » your passwords » your cookies » server's passwords

    » server's identifying certificates

13. Everything leaked. From 2/3rds of the servers on the internet.

14. How long did this leak exist?

15. Two years.

16. Everything leaked from 2/3rds of the servers on the internet

    for two years.
17. None

18. How did this happen?

19. Rogue agency: the NSA? incompetence?

20. now what?

21. change your passwords

22. change your passwords for everything

23. yes, everything

24. Use a password manager 1Password https://getvau.lt

25. Toss your cookies

26. Turn on 2-factor auth

27. Recap

28. Heartbleed is as bad as it gets.

29. change passwords delete cookies 2-factor auth

30. donate to important open-source projects

31. Buy your operations staff a drink

32. change your passwords