Heartbleed Bug: Serious Hole in Internet Security

Page 3 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
zanejohnson

zanejohnson

Diamond Member
Nov 29, 2002
7,054
17
81
i want you guys to think very hard about this for a while, about how the exploit works, the level of the infrastructure it works at.... now scale that down or up... down to the microprocessors made overseas by countries who understand that the real race..is the race to create the backdoor, the trojan horse, real......mutual assured destruction.//

now think about how far up that can scale as well, as in missile technology....................now think about the banking system and how it's come to light recently about the latency haXx and such involved in the stock markets, and how certain entitys invest bookoo money in real estate as close to the stock exchange servers as possible....

now... think about cryptocoin, and how that can render that......well.. inert.


there's alot going on, a whole, whole lot.... watch everything.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
dighn said:
how do I as a user ensure that the certs have been re-issued? do I need to check the date, or is there some revocation process that happens automatically?
Click to expand...

Assume your ssl session is not secure. That the conversation is clear text.

Revocation is not clean nor easy to do

Check the date on the cert and call the operator.
 
Crusty

Crusty

Lifer
Sep 30, 2001
12,684
2
81
spidey07 said:
Assume your ssl session is not secure. That the conversation is clear text.

Revocation is not clean nor easy to do

Check the date on the cert and call the operator.
Click to expand...

The dates don't matter. If you go to your CA and ask for a reissue with a new CSR they are not obligated to extend your cert's expiration date or to change the issuing date to be the new/current date.

If you see a cert that was issued AFTER you know the server using the cert has been patched then you know you are good, otherwise, you gotta ask the service provider.
 
Lean L

Lean L

Diamond Member
Apr 30, 2009
3,685
0
0
Crusty said:
The dates don't matter. If you go to your CA and ask for a reissue with a new CSR they are not obligated to extend your cert's expiration date or to change the issuing date to be the new/current date.

If you see a cert that was issued AFTER you know the server using the cert has been patched then you know you are good, otherwise, you gotta ask the service provider.
Click to expand...

What a pain... They should just start an initiative to revoke all certs immediately.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Crusty said:
The dates don't matter. If you go to your CA and ask for a reissue with a new CSR they are not obligated to extend your cert's expiration date or to change the issuing date to be the new/current date.

If you see a cert that was issued AFTER you know the server using the cert has been patched then you know you are good, otherwise, you gotta ask the service provider.
Click to expand...

Exactly. The cert must be issued after the fix.
 
T

tfinch2

Lifer
Feb 3, 2004
22,114
1
0
I haven't looked at the code or RFC so there may be a good reason, but why on Earth would heartbeat need to send up to 64k worth of data?
 
halik

halik

Lifer
Oct 10, 2000
25,696
1
81
spidey07 said:
This is a REALLY big deal. An attacker can get the root cert's private key rendering SSL and anything cert based encryption worthless. I won't be doing any online banking for a while.

If they get the private key not only can they decrypt your stuff, they can issue bogus certs that your browser would see as valid and trust.
Click to expand...

Apparently it cannot, openssl has their own version of malloc in a segregated memory space and doesn't keep the private key there.

http://blog.erratasec.com/2014/04/w...y.html?showComment=1397079735462#.U0ak6K1dVhs

EDIT: JK, apparently this guy isn't right about the freeing part. It is unlikely you'll actually get the private key back:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
 
Last edited:
IronWing

IronWing

No Lifer
Jul 20, 2001
72,989
34,195
136
Any sites have a list of sites for the bigger banks/retailers/etc that have been fixed?
 
Lean L

Lean L

Diamond Member
Apr 30, 2009
3,685
0
0
I don't even see a parallel.

The chain goes like this.

Corporation buys red hat that has apache as a default package that uses openssl that uses c, a whole bunch of other libraries, etc... not to mention all the rfcs that govern tcp/ip, the ieee rules that govern how devices communicate...

You want companies to pay royalties all the way down the chain? It's an unlimited loop, and you'd end up with no money at all.

If you wanted to argue relying on open source in large scale production... that might be worth talking about.
 
Virgorising

Virgorising

Diamond Member
Apr 9, 2013
4,470
0
0
Lean L said:
I don't even see a parallel.

The chain goes like this.

Corporation buys red hat that has apache as a default package that uses openssl that uses c, a whole bunch of other libraries, etc... not to mention all the rfcs that govern tcp/ip, the ieee rules that govern how devices communicate...

You want companies to pay royalties all the way down the chain? It's an unlimited loop, and you'd end up with no money at all.

If you wanted to argue relying on open source in large scale production... that might be worth talking about.
Click to expand...

Most of the programmers who work on OpenSSL have other jobs during the day and maintain the software in their spare time. The programmers don’t have time to check every line of code for flaws and can’t afford to pay someone else to do it. A formal audit of software code can cost at least $100,000 and often costs much more, according to Laurie.
“We simply don’t have the funding for that,” Marquess said. “The funding we have is to support food and rent for people doing the most work on OpenSSL.”
He added that the foundation’s funding pales in comparison to other open-source projects. “The irony here is everyone uses it and no one supports it financially," he said.
 
CZroe

CZroe

Lifer
Jun 24, 2001
24,195
857
126
I can't believe DailyTech hasn't even mentioned this yet.

spidey07 said:
This is a REALLY big deal. An attacker can get the root cert's private key rendering SSL and anything cert based encryption worthless. I won't be doing any online banking for a while.

If they get the private key not only can they decrypt your stuff, they can issue bogus certs that your browser would see as valid and trust.
Click to expand...
Luckily, virtually no government or financial institutions used OpenSSL, but almost everyone else did. Unlike the iOS vulnerability earlier this year, every app, every service, and every OS using OpenSSL remains vulnerable until every one of those are patched.
 
Lean L

Lean L

Diamond Member
Apr 30, 2009
3,685
0
0
Virgorising said:
Most of the programmers who work on OpenSSL have other jobs during the day and maintain the software in their spare time. The programmers don’t have time to check every line of code for flaws and can’t afford to pay someone else to do it. A formal audit of software code can cost at least $100,000 and often costs much more, according to Laurie.
“We simply don’t have the funding for that,” Marquess said. “The funding we have is to support food and rent for people doing the most work on OpenSSL.”
He added that the foundation’s funding pales in comparison to other open-source projects. “The irony here is everyone uses it and no one supports it financially," he said.
Click to expand...

So who do you propose support them? Customers separated by three levels?
 
OutHouse

OutHouse

Lifer
Jun 5, 2000
36,410
616
126
alkemyst said:
I am a Network Engineer. So yeah I sort of do.
Click to expand...

laughing_face_by_jezkah008-d30ft5z.jpg
 
Last edited:
B

Brian Stirling

Diamond Member
Feb 7, 2010
3,964
2
0
Markbnj said:
As dramatic as the possibility is, the reality is that the bug is rather mundane, and they already know exactly where it came from and what programmer introduced it. A UK-based developer was adding a feature and decided to roll his own memory dealloc rather than handing the block back to free. The library routine had code in place that would have seg faulted on his error, but his own code did not.

The bug is very serious, category 11 as Schneier put it, because everyone has to assume everything was taken. The reality is probably that very little was taken. Hunting for keys by grabbing random 64k blocks isn't all that efficient, given that there may be more than a half-million or so such blocks available in a typical server (rough estimate).

Still, doesn't matter much. We all have to respond as if every try was successful.
Click to expand...

Yeah, perhaps, the thing is when the NSA has there hands on important net security code AND there mission is spying I don't think it's much of a stretch to suspect nefarious intentions when they help us with coding network security things. If we learned anything from Snowden it is that the NSA, and other spy agencies, are doing EVERYTHING they can.

To be sure, there are others that through negligence or intent mess things up in a way that weaken security and privacy and I'm not happy about that either. My point, though, is that when the NSA leaves exploits in code we all use for their purposes it makes us vulnerable not only to their actions but to anyone that finds them.


Brian
 
Markbnj

Markbnj

Elite Member <br>Moderator Emeritus
Moderator
Sep 16, 2005
15,682
14
81
www.markbetz.net
Brian Stirling said:
If we learned anything from Snowden it is that the NSA, and other spy agencies, are doing EVERYTHING they can.
Click to expand...

Agreed, which is why I'm fairly sure Schneier's comment about the NSA furiously trying to exploit the bug since Monday morning was not tongue-in-cheek.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom