Page 1 of 1

Heartbleed

PostPosted: Mon Apr 14, 2014 10:36 am
by Zancarius
Unless you've been living under a rock, you've probably heard about the Heartbleed bug in OpenSSL. And, as an added bonus, if you've been on IM any time last week, you probably got a flood of excited messages from me, cursing about updating a few servers and running tests. Plus side: I read the news on the evening of the 7th, learning about the vulnerability within hours of it being reported. Down side: Staying up late patching things sucks balls.

So, what's the big deal? As it turns out, heartbleed (so named, because it affects the heartbeat protocol added in TSL 1.2, I believe) is based on some programmatic errors in the OpenSSL implementation that allow an adversary to retrieve data stored in memory allocated by OpenSSL on the vulnerable server. While this only affects connections secured by TSL (HTTPS, the little green lock icon), it circumvents the exact reason for securing the connection in the first place. Due to the passive nature of the bug, researchers have managed to secure passwords, session identifiers (these tell the server you're logged in), and other data transmitted to the server without leaving a trace.

The best way to protect yourself in this case is to examine any site you've visited on a secure (HTTPS) connection since the 7th using this tool and if it's not vulnerable, change your password. (Obviously, if it's still vulnerable, changing your password likely won't accomplish very much and the new password can just as easily be snagged.) Note that this only affects hosts that are using an exploitable version of OpenSSL. In particular, services running NGINX and Apache are likely to be affected, but IIS is not. Services hosted on Amazon AWS were also affected for about 24 hours (slightly longer if they were hosted on the US-EAST instances).

Some client software is also affected but it appears that exploitable clients are mostly limited to Android. There was some talk of switching Chrome/Chromium to OpenSSL, but I suspect that will never materialize. Firefox, Chrome, and possibly other browsers use NSS (written by Mozilla) and are therefore not exploitable.

TL;DR: If you've gone shopping online since the 7th or have even browsed Amazon since then, change your password.

Re: Heartbleed

PostPosted: Mon Apr 14, 2014 10:38 am
by Zancarius
Also, if you think it isn't possible to exploit this in the wild, news today reveals that it's already being used on important government hosts (in Canada) that apparently didn't patch up in time.