Listen Live on

On Air

Rush Limbaugh

Brian Thomas


Tech Friday With Dave Hatter

Posted Friday, April 18th 2014 @ 3am


·        Goes beyond the memory leak that can expose passwords and other sensitive information and patching OpenSSL might not be enough

·        Sites using OpenSSL may need to replace their digital certificates

·        Digital certificates are used by a web browser to verify the identity of a server and to create a secure channel

·        Certificates are issued by a central authority (CA) which validates their authenticity and provide a trusted resource

·        The certificate authority (CA) uses private keys on a web site to verify its identity

·        Keeping keys secure it critical to ensure web security

·        Stealing the keys would allow someone to impersonate a site

·        According Netcraft more than 500,000 certificates are vulnerable to Heartbleed

·        All of these certificates need to be revoked and reissued to ensure that old ones no longer work and new ones are valid, or businesses need new certificates

o   This takes time and costs money

o   Some businesses may not be aware they need to do this

·        Buying new certificates does not eliminate the need to revoke existing certificates

·        Some victims have been identified and at least one hacker has been arrested

·        The Canadian Revenue Agency was hit and 900 taxpayers information was exposed

·        Some of the tools that id the affected sites don’t actually work

·        If you use Chrome, there is a plugin that will warn you if a site has not been patched

·        Cloudflare setup a site to see if keys could be retrieved and it’s proven that they can

·        There have been reports that the NSA and possibly other intelligence agencies knew about the bug an exploited it



·        The big 3 tax prep software applications: TurboTax, H&R Block, and TaxACT report they are secure and not affected by Heartbleed

·        But there are other issues:

o   Sensitive data is captured in the applications and transferred across the Internet

o   These sites are a huge honeypot for hackers

o   These site have a vested interest in keeping your data secure

·        e-File is encrypted

·        IRS prefers e-File

·        You will get your refund sooner and less human beings have access to the tax data

·        Reputable sites are listed with the IRS

Recommended Stories
Brian's Listener Lunch

Copper Blue - July 30th 11:30AM

900 Main Street in Milford

513 239 8450