dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7094
share rss forum feed

Zoder

join:2002-04-16
Miami, FL

2 recommendations

Heartbleed - zero day critical bug in OpenSSL

Just saw this on Ars. »arstechnica.com/security/2014/04···ropping/

and a blog post about the bug. »heartbleed.com/

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

It's been in the code for 2 years and is fixed in version 1.0.1g which was just released. However, unpatched systems are vulnerable to having the following compromised and the attack leaves no trace that it was performed.
quote:
secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.


QuaffAPint
A Big Thanks To The Troops

join:2001-01-10
Downingtown, PA

1 recommendation

Just patched mine last night, Test yours (or any) server to see if it has the vulnerability...
»filippo.io/Heartbleed/



Boooost

@151.190.40.x
reply to Zoder

I thought open source was supposed to prevent this sort of thing.


Zoder

join:2002-04-16
Miami, FL
reply to Zoder

Yahoo mail and fbi.gov is effected.

»threatpost.com/seriousness-of-op···n/105309



angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to Zoder

BarclayCardUS.com is vulnerable. Not good, as are used by many private-label cards like GE.

[edit] LLBeanVisa.com is also vulnerable.

Expand your moderator at work


DslreportsOK

@comcast.net
reply to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

Dslreports not vulnerable to heartbleed.




kickass69

join:2002-06-03
Lake Hopatcong, NJ
reply to Zoder

OpenVPN 2.3.2 Installer Update

The I004 Windows installer includes OpenSSL 1.0.1g, which fixes the fairly serious TLS heartbeat security vulnerability.

Link to advisory - »www.openssl.org/news/secadv_20140407.txt

»openvpn.net/index.php/open-sourc···ads.html



Doctor Four
My other vehicle is a TARDIS
Premium
join:2000-09-05
Dallas, TX
reply to Zoder

This impacted Amazon's load balancing services, which is used by Mojang.com and Minecraft.net. The following was posted to the Minecraft forum tonight:

»www.minecraftforum.net/news/1222···rd-asap/

In short, if you play Minecraft (and some here do), your account information may have been compromised, and changing your password is strongly recommended.
--
I, for one, welcome our new Computer Overlords.

Expand your moderator at work


Boooost

@optonline.net
reply to Doctor Four

Re: Heartbleed - zero day critical bug in OpenSSL

With something like 30 million users, what are the odds that someone found your password? Nil.



Bill_MI
Bill In Michigan
Premium,MVM
join:2001-01-03
Royal Oak, MI
kudos:2
Reviews:
·WOW Internet and..

4 recommendations

reply to QuaffAPint

They seem to have problems with volume. Qualys added a test so here's their option, too: »www.ssllabs.com/ssltest/


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to Zoder

Wow thier page provides quite alot of detail!!



MacGyver
Don't Waste Your Energy
Premium,ExMod 2003-05
join:2001-10-14
Canada
kudos:2

3 recommendations

reply to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

Another NSA backdoor closed. Only countless more to go.


ke4pym
Premium
join:2004-07-24
Charlotte, NC
Reviews:
·VOIPO
·ooma
·Verizon Broadban..
·Northland Cable ..
·Time Warner Cable
reply to Bill_MI

said by Bill_MI:

They seem to have problems with volume. Qualys added a test so here's their option, too: »www.ssllabs.com/ssltest/

I *LOVE* me some SSLLabs. Been using them for about a year now to test various properties for my employer. And they are super awsome about replying to emails when you find a bug.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Bill_MI

Welll...well...I guess the world has suddenly discovered Qualys. I was just told that they are operating at full capacity and to try again later.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



therube

join:2004-11-11
Randallstown, MD
reply to Zoder

For local applications, is it sufficient to simply replace existing dll's (libeay32.dll & ssleay32.dll) with updated 1.0.1g's ?

(My Eudora's were dated 08/17/2006 .)


ke4pym
Premium
join:2004-07-24
Charlotte, NC
Reviews:
·VOIPO
·ooma
·Verizon Broadban..
·Northland Cable ..
·Time Warner Cable
reply to Mele20

said by Mele20:

Welll...well...I guess the world has suddenly discovered Qualys. I was just told that they are operating at full capacity and to try again later.

Beat on the submit button. It'll go through in about 5 tries.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

Yeah...I got it to work...very slow the first test. Then I did a couple of other banking sites and it was fast.

Anyone know what version of Firefox first supported TLS 1.2? I was surprised to see that my Fx 24.4 ESR does NOT even support TLS 1.1 much less 1.2!

SeaMonkey 2.25 supports TLS 1.2. I suppose I should be using SM instead of Fx for banking.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


ke4pym
Premium
join:2004-07-24
Charlotte, NC
Reviews:
·VOIPO
·ooma
·Verizon Broadban..
·Northland Cable ..
·Time Warner Cable

said by Mele20:

Then I did a couple of other banking sites and it was fast.

Probably because their results were cached.


therube

join:2004-11-11
Randallstown, MD

1 recommendation

reply to Mele20

(SeaMonkey 2.24) Enabled support for TLS 1.2 (RFC 5246) by default (bug 861266)

So that would be FF27.



siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to Zoder

E-filing of Canadian taxes shut down because of Heartbleed bug

quote:
(Reuters) - Right in the heart of tax-filing season, the Canada Revenue Agency (CRA) shut down access to online tax services on Wednesday because of an Internet bug that has made data on many of the world's major websites vulnerable to theft by hackers.
»www.reuters.com/article/2014/04/···20140409

IamGimli

join:2004-02-28
Canada
kudos:2

1 recommendation

reply to Zoder

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.


ke4pym
Premium
join:2004-07-24
Charlotte, NC
Reviews:
·VOIPO
·ooma
·Verizon Broadban..
·Northland Cable ..
·Time Warner Cable

1 recommendation

said by IamGimli:

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.

Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix.


SixOfNine
Brake In A Ladylike Manner.
Premium
join:2001-08-30
Sterling, VA
Reviews:
·Verizon FiOS

said by ke4pym:

said by IamGimli:

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.

Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix.

+1. LastPass has published a Heartbleed checker.

»lastpass.com/heartbleed/

Edit: Here's the results for dslreports:

Detected server software of nginx
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for www.dslreports.com valid 9 months ago at Jul 3 05:04:07 2013 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

--
Leave the gun. Take the cannoli.

psloss
Premium
join:2002-02-24
Lebanon, KS
reply to ke4pym

said by ke4pym:

said by IamGimli:

Before you start changing passwords make sure the site you're changing the password on has been patched, otherwise changing the password is of little value.

Can't recommend this enough. I'd give it at least 15-20 or 30 days before even bothering. It's going to take some companies that long just to think about scheduling a change control for the fix.

Agree with the recommendation, disagree on the time-frame. This is already an all-nighter, triage situation -- for the good guys and the bad guys. Hopefully this won't require the same wholesale action by users, but I'm expecting to hear from vendors and providers this week.
»isc.sans.edu/forums/diary/Heartb···ns/17929


Chubbzie

join:2014-02-11
Greenville, NC

1 recommendation

reply to SixOfNine

The LastPass checker is not a valid check for the vulnerability. It is basing its findings on the web daemon in use, whether it uses OpenSSL by default and the age of the cert(s) themselves.

A valid checker will actually initiate a SSL connection to the device and send a heartbeat request & decide based on the reply.



SixOfNine
Brake In A Ladylike Manner.
Premium
join:2001-08-30
Sterling, VA
Reviews:
·Verizon FiOS

said by Chubbzie:

The LastPass checker is not a valid check for the vulnerability.

I should have mentioned the fine print, mea culpa. LastPass says that their checker tells whether other sites and services may have been affected by Heartbleed.

»blog.lastpass.com/2014/04/lastpa···bug.html
--
Leave the gun. Take the cannoli.
Expand your moderator at work


DannyZ
Gentoo Fanboy
Premium
join:2003-01-29
Erie, PA
reply to Zoder

Re: Heartbleed - zero day critical bug in OpenSSL

The second post in this thread has a link to a heartbeat checker »Re: Heartbleed - zero day critical bug in OpenSSL