Critical crypto bug exposes Yahoo Mail passwords Russian-roulette style

OpenSSL defect still exposing sensitive data even after patch is released.

Read the whole story

 

[ThomBat]

Good to see some actual rubber-on-the-road proof of the vulnerability, since in the earlier thread people were quite sensibly asking how often something interesting does churn through the 64kB window.

Is there an up-to-date summary page of the state of major services like Gmail, Yahoo, etc, showing whether they've patched and re-issued keys? I don't want to go updating passwords on each until I know they've shut their peephole.

 

[ThomBat]

SuperJB[/url]":6hc5b81y]I'm sorry ... but this was no accident. Security conscious programmers know better. Someone got a nice phat check.

I wish I got a big payout every time I fucked up my logic - I'd surely have enough money to slow down and do it properly the first time!

(just kidding - I'd still fuck up. It's a variant of Hofstadter's Law: tomorrow you will see something in your code so bone-headed that you pretend for a second it suffered bitrot overnight - and this will surprise you even though you already adjusted your expectations downwards.