Doesn't the Heart Bleed vulnerability imply that we need to change passwords for all systems?

Question

I understand the part about a server with the vulnerability.

But from what I gather, the vulnerability has also existed in browsers that use the vulnerable OpenSSL implementations.

So, if I first visit a site that doesn't have a vulnerable OpenSSL implementation, log in then, and then afterwards (or perhaps through some obscure AD networks) gets routed to a malware server (that wouldn't normally be able to attack my computer), wouldn't this server be able to send an incorrect heart beat response back and thus get that 64KB from my browser sent to it?

So in essence, won't the Heart Bleed vulnerability in my browser mean that I could've potentially have leaked all data from my browser to a site?

Good question, I've just read "client" all over the place, perhaps I'm mistaken on this part? — Lasse V. Karlsen, Apr 10 '14 at 10:57

score 2 · Accepted Answer · answered Apr 10 '14 at 11:01

The only major browser I know of that uses OpenSSL is Opera, and the versions I've checked appear to use an older version that isn't vulnerable to the Heartbleed attack. Firefox, Chrome, and related browsers use NSS for SSL. IE and derivatives (including most embedded HTML renderers on Windows) use Microsoft's SSPI. Safari on MacOSX and iOS uses Apple's SSL implementation. Dillo and Lynx are the closest thing I know of to major browsers that use OpenSSL, and those have a marketshare best measured in parts per million.

Vulnerable clients tend to be special-purpose tools such as "wget" and "curl" (command-line tools for making HTTP requests), or non-browser programs such as email clients.

Doesn't the Heart Bleed vulnerability imply that we need to change passwords for *all* systems?

1 Answers1

Doesn't the Heart Bleed vulnerability imply that we need to change passwords for all systems?