dslreports logo
 
    All Forums Hot Topics Gallery
spc
view:
topics flat nest 
Comments on news posted 2014-04-09 09:06:05: News emerged this week that the Internet's most popular implementation of the Transport Layer Security (TLS) protocol has contained a bug that allows a hacker to siphon all manner of private data, including passwords and authentication cookies, from.. ..

page: 1 · 2 · next

MxxCon
join:1999-11-19
Brooklyn, NY

MxxCon

Member

Disappointing?

One of the most commonly used cryptography component in the open-source world had what appears to be such a trivial bug introduced and undetected for ~2 years.

Makes me wonder if there are indeed security audits happen on such projects...

DontWorry
@google.com

DontWorry

Anon

Other than Yahoo, most visited sites not affected

Other than Yahoo, most major sites like Gmail, Facebook, MSN, Netflix, etc are not affected.

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

busy patching...all night long...

a Colleague told me he and others been "burning the oil" to fix this on their (er our) servers.
Seems the flaw wasn't present on the previous release. So someone that did the last version, didn't catch this?

I would avoid banking and other sites till all with this vulnerability have it patched.

From my friend: Say you have an SSL web site using openSSL- version 1.01e... I say... give me this 64k of data, that has your private key in memory, you say "ok here ya go" and then I get all of your encrypted data, unencrypted.... that simple.
And----!!!! and it is totally undetectable to know if you were compromised !!!!----
ptb42
join:2002-09-30
USA

1 recommendation

ptb42

Member

said by cableties:

give me this 64k of data, that has your private key in memory, you say "ok here ya go" and then I get all of your encrypted data, unencrypted.... that simple.

It's not quite that simple. The 64K of memory that you get has to have the private key. I don't know how easy it is to determine what 64K of memory has the private key. But, let's say that you manage to get it.

With the private key, you may be able to decode an entire SSL conversation. There is a way (as a user) that you can prevent that, but I won't start that tangent in this post.

However, you have to be in a position to capture all the packets exchanged between the client and the server. If you have access to the server's data center, their physical security is already compromised. The best that you could probably do is capture an unencrypted WiFi connection, but that would be limited to a single client.

wistlo
join:2003-01-04
New Orleans, LA

wistlo

Member

said by ptb42:

you have to . . . capture all the packets exchanged between the client and the server

Is is not possible that decrypted client passwords could be present in server memory accessed via this flaw?

battleop
join:2005-09-28
00000

battleop to cableties

Member

to cableties
The news was reporting that 500k to 1M sites were effected. I don't think it's going to be as wide spread as they are reporting because I really doubt that the majority of servers are running a version of OpenSSL that's that up to date. I think the majority of servers that have been put into service in the last year will be the ones that are most vulnerable to this bug.

I've checked our public facing servers and none of them seem to be running a version that's vulnerable to this bug.
ptb42
join:2002-09-30
USA

1 edit

ptb42 to wistlo

Member

to wistlo
said by wistlo:

Is is not possible that decrypted client passwords could be present in server memory accessed via this flaw?

Yes, that's possible. Or, any amount of other private information that might be present in the service's RAM at the moment.

But, I was referring to the consequences of getting the private key for the sites SSL certificate. It can only be used to decrypt data that you can capture. It's certainly a serious flaw, but difficult to exploit unless you are in a position to capture the data exchanged between client and server.
ptb42

ptb42 to battleop

Member

to battleop
The results of a mass testing effort (at about 1130 UTC on 2014-04-08) are here:

»github.com/musalbas/hear ··· masstest

It uses a list of the top 1,000,000 sites from Alexa. They have compiled the results for the top 10, 1000, and 10000 sites.

newview
Ex .. Ex .. Exactly
Premium Member
join:2001-10-01
Parsonsburg, MD

newview to DontWorry

Premium Member

to DontWorry

Re: Other than Yahoo, most visited sites not affected

said by DontWorry :

Other than Yahoo, most major sites like Gmail, Facebook, MSN, Netflix, etc are not affected.

I just read an article on Ars Technica's website entitled, "Dear readers, please change your Ars account passwords ASAP".
quote:
With Ars servers fully updated, it's time to turn our attention to the next phase of recovery. In the hours immediately following the public disclosure of the so-called Heartbleed vulnerability, several readers reported their Ars accounts were hijacked by people who exploited the bug and obtained other readers' account passwords.
»arstechnica.com/security ··· ds-asap/
resa1983
Premium Member
join:2008-03-10
North York, ON

resa1983

Premium Member

CRA

Canada's Revenue Agency's login portion has been shut down entirely due to heartbleed.. I assume until they patch it, whenever that will be.

Its kind of sad that other Canadian gov sites with logins have patched already, and CRA is still lagging.
lutful
... of ideas
Premium Member
join:2005-06-16
Ottawa, ON

lutful

Premium Member

I am getting "this page not available" errors for many https URLs.

cableties
Premium Member
join:2005-01-27

cableties to ptb42

Premium Member

to ptb42

Re: busy patching...all night long...

Yes, you are correct. Difficult to exploit but it is serious.
tg1
join:2003-08-16
New Hyde Park, NY

tg1

Member

Networking Equipment?

Has anyone been testing their equipment? I think my pfsense box is affected. My DD-WRT routers seem to be okay.

DontWorry
@comcast.net

DontWorry to DontWorry

Anon

to DontWorry

Re: Other than Yahoo, most visited sites not affected

Canada's version of the IRS (called the CRA) has shut down their web site in the middle of tax filing season to fix their systems due to the SSL bug.
»www.calgaryherald.com/ne ··· ory.html

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

Some tips...

Disclaimer: I do not like referring folks to CNET sites because of the obnoxious ads, scrolling windows, and untrustful forum (breeched accounts, etc.).

However, if you have adblock and noScript, some useful tips (but I don't how many will email their bank to ask," Have you IT folks patched this yet? I won't bank online till you fix this!".

»www.cnet.com/news/how-to ··· eed-bug/
ptb42
join:2002-09-30
USA

1 recommendation

ptb42

Member

I'll use this opportunity to explain the measure I was discussing earlier....

As you noted, if you can obtain the SSL certificates private key, you can potentially decode an SSL connection if you can capture all the packets between client and server. This is what is known as a "man in the middle" (MITM) attack, in the cryptography world.

In fact, there are at least two monitoring products on the market that do exactly this: when provided with the private key, they can analyze a copy of the packets forwarded by a network switch/router, and provide information about the performance of the web server (response time, throughput, etc.).

However, this passive MITM attack can be foiled.

Your initial connection to a secure server actually uses the public key on the SSL certificate to perform a "key exchange". A random symmetric key is generated and exchanged, and all subsequent data is encrypted with this symmetric key. The encryption cipher is actually something like AES or DES. This is much faster than using the public/private keys for all data.

There are several key exchange algorithms. One of them -- Diffie-Hellman -- is resistant to a MITM attack -- there's no known exploit for it. So, if your connection uses that key exchange algorithm, the SSL connection can't be decrypted passively even if if the attacker has the SSL certificate's private key.

However, you have to tell your browser to only use the Diffie-Hellman key exchange. I've done it in Firefox, but don't know if it is possible in Internet Explorer. Unfortunately, I found a lot of secure sites don't support Diffie-Hellman key exchange.
pandora
Premium Member
join:2001-06-01
Outland

pandora to DontWorry

Premium Member

to DontWorry

Re: Other than Yahoo, most visited sites not affected

I wonder how our federal sites are secured in the U.S. or if any state sites (like healthcare connectors) are affected?

battleop
join:2005-09-28
00000

battleop to ptb42

Member

to ptb42

Re: busy patching...all night long...

I'm sure admins for these sites really appreciate the list being thrown out there. Most IT groups are already spread as thin as possible and now they have to drop what they are doing to address this.

I hope the people that exploit this stuff die extremely miserable deaths.

kontos
xyzzy
join:2001-10-04
West Henrietta, NY

kontos

Member

said by battleop:

spread as thin as possible and now they have to drop what they are doing to address this.

Even without being named, that is the only responsible course of action for any IT department. This flaw rises to that level of severity.

cableties
Premium Member
join:2005-01-27

cableties to ptb42

Premium Member

to ptb42

Re: Some tips...

Thank you for that explanation!
cableties

1 edit

cableties to ptb42

Premium Member

to ptb42

Re: busy patching...all night long...

We use this:

»www.ssllabs.com/ssltest/

and Lastpass was offering a link to check sites for vulnerability...
»lastpass.com/heartbleed/

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

tshirt to kontos

Premium Member

to kontos
Even more important is the a C-levels up come to understand that this is not the time to ration IT funding.
having a larger staff and more funding as needed is REQUIRED to protect the newest, fastest growing, most likely to florish section of your business.
This is not a one time event.
rahvin112
join:2002-05-24
Sandy, UT

rahvin112 to battleop

Member

to battleop
The exploit's been in the wild for a while now. Being named is insignificant when key's have already been stolen.

battleop
join:2005-09-28
00000

battleop to kontos

Member

to kontos
I agree 100% but being named goes from patching it in the next 72 hours to right now this very second because the C Level guys are calling for an update every 20 minutes. While hackers could find this on their own it's a help to the lazy script kiddies who won't waste time seeking their 15 minutes.
battleop

battleop to tshirt

Member

to tshirt
The CTO/CIO understand it fully. The problem often lies with the COO/CEO/CFO who really does not understand what the CTO/CIO does. It's very frustrating position to be in. You almost have to let things fail to get any movement on these kinds of things. When they become accustom to things always working it gets harder to get money to do what you need to keep things that way. They don't see or understand what you have to do to keep everything together.

MxxCon
join:1999-11-19
Brooklyn, NY
ARRIS TM822
Actiontec MI424WR Rev. I

MxxCon to cableties

Member

to cableties
said by cableties:

and Lastpass was offering a link to check sites for vulnerability...
»lastpass.com/heartbleed/

So far it just checks for server agent signature and cert issue date...not exactly an accurate check.
tmc8080
join:2004-04-24
Brooklyn, NY

tmc8080

Member

sad, but true

for a while, banks would use SSL for encryption of money transfers... until they started losing money in "transport" to hackers. then, the encryption had to be taken seriously as well as security.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym

Premium Member

Karl, it's great that dslreports is patched - but ...

you've not replaced your keys (read: SSL certificate) and you're still vulnerable.

Keys hosted on vulnerable OpenSSL versions should be considered compromised and replaced immediately.
zed260
Premium Member
join:2011-11-11
Cleveland, TN
Netgear R7000

1 recommendation

zed260 to MxxCon

Premium Member

to MxxCon

Re: Disappointing?

few things first its imposable to catch every bug in software to do so would mean your inhuman

second of all as best i can tell this bug even though it effected a lot of sites i don't think was widely exploited in those 2 years from looks of it we would have heard of it a lot sooner if it was

im sure givin enough time there will likely be loads more bugs found in ssl and all other software there is no such as bug free software

meeeeeeeeee
join:2003-07-13
Newburgh, NY

1 recommendation

meeeeeeeeee

Member

I think it's time...

That OpenSLL considers NOT taking contributed code from NSA employees.
page: 1 · 2 · next