Jump to content











Photo

Heartbleed - OpenSSL zero day vulnerability


  • Please log in to reply
5 replies to this topic

#1 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 10 April 2014 - 05:50 PM

At the moment, Heartbleed is probably by far the most discussed security vulnerability in modern web. Since Monday last, huge discussion in going on in different forums, blogs and other similar security related websites. Whatever I have gone through so far, let me quote a few lines out:
 
 

Okay, so OpenSSL is a major part of the modern Internet. What would happen if OpenSSL had a flaw? What if that flaw meant those secret keys between you and the server were suddenly accessible by someone else?
 
What if the flaw meant that someone could secretly gain access to the keys the server has, make a copy for themselves, and eavesdrop on everything you say to that server? What if that flaw was impossible to detect?
 
That's Heartbleed. It's a vulnerability that, thus far, has operated without detection. Plus, it's designed in such a way that with enough effort and enough time, lots of information could be accessed by someone else. And you (and the server you talk to) would have no idea.
 
As bad as that is, the worst part is that this vulnerability has actually been around since December 2011. Lots of software packages started using the vulnerable version of OpenSSL in May 2012. So for two years, any app, website, bank or private messaging app that uses OpenSSL has been vulnerable to this bug.
 
Now, it's important to note that not every web server or application uses OpenSSL as its SSL/TLS implementation. It's also true that if an app was using something older than OpenSSL circa 2011, this bug won't effect it. As we've seen, however, the vast, vast majority of OpenSSL implementations running on the web before Monday were running a version vulnerable to Heartbleed.


 

An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.



Writing about Heartbleed, security expert Bruce Schneier says 'catastrophic' is the right word. On the scale of 1 to 10, this is an 11."



For one who's interested to learn more on the same, these articles are worth going through.


  • Nuno Brito likes this

#2 Nuno Brito

Nuno Brito

    Platinum Member

  • Team Reboot
  • 10452 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 10 April 2014 - 07:23 PM

So many popular sites affected. Good post.

 

Some two months ago Google stopped a suspicious login to my account in some other part of the globe that had been made with my correct password details. The password was unique and not used elsewhere, interesting to think on who else was using this defect to their advantage.. :huh:



#3 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 11 April 2014 - 01:25 AM

And why such a sexy name?
 

So first things first: What does heartbleed mean? The bug, as my colleague Lindsey Bever explained Tuesday night, is in a type of software called OpenSSL, which is used to encrypt sensitive information on Web servers. OpenSSL, in turn, contains something called a “heartbeat extension,” or RFC6520, which essentially checks that a connection between two servers or devices is live. (This is getting a little in the weeds, but it’s called heartbeat because it’s a type of “keepalive” connection, and we’ve talked about machines as “live” or “dead”  for quite some time.) Unfortunately, there’s a glitch in the heartbeat code that lets one device grab bits of memory from the other. So in its initial security alert  about the flaw, OpenSSL refers to the bug as a “TLS heartbeat read overrun.”


Also this is a kind of bug for which there's a website which has been launched after an hour of  OpenSSL alert.



#4 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 12 April 2014 - 05:38 AM

Good thing we're not using SSL on this website ( Or maybe only on cPanel login :D )... LOL Maybe we should encrypt the traffic ?

#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1444 posts
  • Location:Santa Barbara, California
  •  
    United States

Posted 12 April 2014 - 09:06 AM

Good thing we're not using SSL on this website ( Or maybe only on cPanel login :D )... LOL Maybe we should encrypt the traffic ?

 

I tested it a couple of days back using http://heartbleedvul...bilityscan.com/. It seems to be unaffected.



#6 florin91

florin91

    Frequent Member

  • Team Reboot
  • 197 posts
  •  
    European Union

Posted 13 April 2014 - 01:55 PM

Better test with this: http://filippo.io/Heartbleed/ (open-sourced here: https://github.com/FiloSottile/Heartbleed ) or with this: http://www.exploit-db.com/exploits/32791/ .

 

Yeah, it seems unaffected, although we don't use ssl for much things :D






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users