Heartbleed Bug: Serious Hole in Internet Security

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
By the way you should all be aware that the mitigation for this bug takes quite a bit of effort on the part of administrators. Thus, only expect large companies to actually address the issue in the near term, possibly ever.

Right. The private keys could be compromised which means revoking the old and redoing the entire chain. Not a small thing with with outages that could be big depending on how the cert issuer does revocation.

I'm not sure how OS/browsers handle certificate revocation. I think since vista windows will do an OCSP check for revoked certs which is a good thing.
 

Red Squirrel

No Lifer
May 24, 2003
68,481
12,622
126
www.anyf.ca
Yeah this is very scary and the fact that it was there for 2 years even more so. It really makes you wonder if it was planted there by a dev, who is actually an NSA infiltrator. I still think open source is better than proprietary stuff, but this is one "flaw" of open source, as almost anyone can make it on the dev team if they can prove themselves. Then again I imagine the same could happen with proprietary software even if the company has good intentions, but typically what happens with proprietary software, they are just bribed.

Interestingly my servers are so out of date that I'm not affected. Though my home VPN server is affected, running OpenSSL 1.0.1e-fips which falls within the affected range. I turned it off till they add the patch to the repository. I really don't want to try to do it from source when it was previously installed with yum. Just going to make a mess.

The issue with using distros that use yum/apt-get is you are sorta limited to whatever versions they put in the repos, typically these versions are very behind the times.

From what I'm understanding, once you fix the issue you should completely wipe all keys, CAs etc... basically all cert files, and regenerate them all from scratch. VERY VERY important for VPN especially as with the proper compromised info one could just walk right into your internal network.

I also wonder how banks and other high importance SSL sites are handling this right now.

I think it's probably a good idea for everyone to change all their passwords. Wait like a month, and change them again. (in case they did not fix it and the new password ends up compromised)
 
Last edited:

SSSnail

Lifer
Nov 29, 2006
17,458
82
86
Good thing I have two-factor authentication set up on all my important online stuff.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Good thing I have two-factor authentication set up on all my important online stuff.

Wouldn't matter. If I have the cert/private key I can pretend to be the website and you would never know I'm not really www.yourbank.com. A perfect man in the middle capturing your stuff including your other factor.
 

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
Wouldn't matter. If I have the cert/private key I can pretend to be the website and you would never know I'm not really www.yourbank.com. A perfect man in the middle capturing your stuff including your other factor.

He has no clue, his sig goes to a dumb website for a long time that's commercial in nature.
 

SSSnail

Lifer
Nov 29, 2006
17,458
82
86
Wouldn't matter. If I have the cert/private key I can pretend to be the website and you would never know I'm not really www.yourbank.com. A perfect man in the middle capturing your stuff including your other factor.
Yeah, because there are people staying awake waiting to do that to me. It would have to be a very elaborate and instantaneous attack, while I'm in the session before it's destroyed, and before time runs out all of which usually happens in a few minutes.

I'm using both phone verification and token based pin, if they can get in, well then good for them.
 
Last edited:

Red Squirrel

No Lifer
May 24, 2003
68,481
12,622
126
www.anyf.ca
Wouldn't matter. If I have the cert/private key I can pretend to be the website and you would never know I'm not really www.yourbank.com. A perfect man in the middle capturing your stuff including your other factor.

Yeah and with the encryption broken the second factor (probably a password) is basically clear text anyway.

Though technically for a full exploitation you would need a man in the middle attack so actually sniff data.

But the biggest threat already has all this data: The government.

All internet traffic that is encrypted is run through huge NSA clusters to run decryption processes then thrown in with the rest of the unencrypted data base but this probably takes a while and based on internet traffic patterns there may even be too much data to process and they may have to drop some (just guessing here, maybe I'm underestimating their capabilities). With this exploit they can pretty much speed through all the pending data and decrypt everything now.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
The problem is until the site fixes OpenSSL and recerts everything they're still vulnerable from previously captured information/passwords/man in the middle.

You have to assume your keys have been compromised.

My bank is vulnerable, I've disabled online banking. They haven't re-issued the cert nor revoked and it's a largish national bank. This is VERY serious. The trust is broken.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Yeah, because there are people staying awake waiting to do that to me. It would have to be a very elaborate and instantaneous attack, while I'm in the session before it's destroyed, and before time runs out all of which usually happens in a few minutes.

I'm using both phone verification and token based pin, if they can get in, well then good for them.

The token as 2nd factor would work.

The phone is likely client side cert which would be broken.

-edit-
You would still be vulnerable to a MITM attack.
 
Last edited:

SSSnail

Lifer
Nov 29, 2006
17,458
82
86
The token as 2nd factor would work.

The phone is likely client side cert which would be broken.

-edit-
You would still be vulnerable to a MITM attack.
Yup, the ONLY way that they can get in is by doing MITM, which is right after I authenticate through my phone (which the authentication info is sent to my phone), and then input my random token PIN. I'm not losing sleep over this, TBH.
 

Red Squirrel

No Lifer
May 24, 2003
68,481
12,622
126
www.anyf.ca
The instant your traffic is going through the US, you are automatically in a MITM attack. The government/NSA sniffs and collects all traffic. (Carnivore, etc)
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
The instant your traffic is going through the US, you are automatically in a MITM attack. The government/NSA sniffs and collects all traffic. (Carnivore, etc)

I've long believed that the US government has the private keys to the big public root cert authorities or some other back door to PKI. Many foreign governments won't even allow import of certain encryption technology. Is it because they don't want it used in their country, or because they don't have a decryption method? I would think both.
 
Last edited:

IronWing

No Lifer
Jul 20, 2001
70,229
28,939
136
So for us schmucks the plan should be to simply not log in to any banking service or online store until each site we use indicates that it has fixed the issue and then go change our passwords?
 

Crusty

Lifer
Sep 30, 2001
12,684
2
81
The hardest part of changing your cert out is waiting for the CA to do the re-issue. It took around 4hrs before our SSL cert was re-issued and about 30s to install and reboot the servers.
 

Crusty

Lifer
Sep 30, 2001
12,684
2
81
So for us schmucks the plan should be to simply not log in to any banking service or online store until each site we use indicates that it has fixed the issue and then go change our passwords?

Pretty much, there's no use in changing your passwords to a site that hasn't been fixed yet, especially if it's a large site.
 

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Well they had 2 years to try it out.

I believe that's when the commit took place. It's really unlikely anybody knew about it before the disclosure. Schneier painted a picture of the NSA working furiously to exploit it since yesterday, which is probably closer to the truth.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Pretty much, there's no use in changing your passwords to a site that hasn't been fixed yet, especially if it's a large site.

I'd wait until they reissue the certs as well. Just fixing OpenSSL isn't enough

Check the issuing date of any cert. assume it's compromised.
 

gorcorps

aka Brandon
Jul 18, 2004
30,739
452
126
Is this just a coincidence that this was discovered while many are in a mad rush to file very sensitive personal information while doing taxes? Seems like the perfect time to get a hold of a shit load of info. It says TurboTax is fixed though so that's good.

Chase, citi, discover and PayPal are all ones I checked and are fixed. Amazon still isn't.
 

dighn

Lifer
Aug 12, 2001
22,820
4
81
how do I as a user ensure that the certs have been re-issued? do I need to check the date, or is there some revocation process that happens automatically?