PDA

View Full Version : If you are using OpenSSL, you need to update now - critical vulnerability



Brian Altenhofel
04-08-2014, 01:45 PM
Heartbleed Bug (http://heartbleed.com/)


We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

vangogh
04-08-2014, 10:55 PM
Thanks Brian. My host sent me an email not too long ago and I upgraded the server with a patch right away. Pretty nasty security hole.

Fulcrum
04-09-2014, 05:29 PM
Canada Revenue (the northern version of the IRS) just announced they shut down their e-filing option for submitting taxes due to this bug. Things could get interesting.

Business Attorney
04-09-2014, 05:43 PM
Several articles I read today said everyone should change every single password they use, but that there is no point in changing a password on a site until you know that the site has fixed the hole. Also, it doesn't apply to sites using encryption technology other than OpenSSL

So here are my questions:

How can I tell if a bank, credit card company, etc.. was using OpenSSL, or do I just assume they were and not take any chances?

How will I know that the site has patched the hole? Do you think sites will let us know or do I just start changing passwords every week to be on the safe side?

This sucks. Despite past advice to regularly change passwords, I have only rarely done so in the past. I am not too concerned if someone steals my Wikipedia password or my password on CBSSports.com but there are dozens of passwords that I do care about, starting with financial institutions but also including any site that I may have ever given my credit card information to.

Since I have been on the Internet for 20 years, I don't even remember all the sites where I have set up accounts or made purchases. In fact, i recently tried to set up an account on a site that I didn't ever remember visiting before and they said there was already an account using my password. Sure enough, I had visited once a decade ago and had set up an account.

I repeat, this SUCKS.

Brian Altenhofel
04-09-2014, 06:52 PM
The following site will let you enter in a domain name and it runs a very basic exploit against the site to tell you if it is running a vulnerable version of OpenSSL.

Test your server for Heartbleed (CVE-2014-0160) (http://filippo.io/Heartbleed/)

It does NOT tell you if an SSL certificate has been re-issued. The only real way to do that is to compare serial numbers or fingerprints from before the fixed release versus after. At least one password manager (LastPass, though I don't use them) is making that information available to their users to let them know which passwords they should change and which ones don't really matter at this point.

It's important that any site running a vulnerable version of OpenSSL update to a fixed version AND get their SSL certificate re-issued using a new private key. Using the old private key would be akin to having a master key for your place of business, having one employee's key stolen along with a copy of the master key, and rekeying the locks on the doors to only keep out the employee's key but not the master key. At least that's the most simple analogy I can come up with at the moment.

Harold Mansfield
04-09-2014, 07:25 PM
Here's the thing. It's been around for at least 2 years and they just discovered it. It's like locking the door after you've already been robbed.

But still lock it so that you don't get robbed again after you replace all of your stuff.

Brian Altenhofel
04-11-2014, 04:34 PM
XKCD came through with a simple explanation (http://xkcd.com/1354/).

http://imgs.xkcd.com/comics/heartbleed_explanation.png

Brian Altenhofel
04-14-2014, 03:59 PM
Heartbleed bug exploited to steal taxpayer data | Ars Technica (http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/)