[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Tue, 08 Apr 2014 19:25:22 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1396810045; h=Sender:Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Reply-To:Subject:In-Reply-To:References:To:MIME-Version:From:Date:Message-ID; bh=bX+1Chtz+QIK4qQT/AUQfHbt4qxCjdnzn3F6njUoiSo=; b=Y+GJIz/8FTY2oo8dBCq8rglfSfhuK9zoWs8Gn0bcS/HEywoGIVSO5SqFLQcO641i013eBcIkW+Ogm5yfXC5P9LLek2tKw/AjkMHR1wXsQ05vU7GTjbRWw2FdYPWfR4swn86dF+l2djUbJNUSABZ1Lp7YU+xuMOODauWNigf9/l4=;
Openpgp: id=8F455606

On 08/04/14 14:52, Martijn Grooten wrote:
> 
> Obviously, PFS is a particularly good idea, but isn't that only
> necessary against powerful adversaries? This vulnerability means that
> anyone can potentially steal any information stored in memory on your
> server running OpenSSL.

See later in thread. Means even if the server's private key is
compromised historic conversations remain encrypted, and similarly if
one temporary key is compromised, not everything is bust.

See "man ssldump" for explanation of when it can't work well.

> I don't think the flaw has been widely known for long enough for attacks
> to have been automated. And there are many millions of vulnerable
> servers. So I think it's normal that a few honeypots haven't been
> compromised. And it might take a while. And perhaps they've only
> obtained the private keys and haven't done anything to them.

I suspect this has been known for a while, but lots of people have been
"playing" with it today.

>> http://filippo.io/Heartbleed/
> 
> This one gives false positives.

You sure. I had one I suspected as a false positive, but otherwise it
seems reliable.

>> One of my friends emailed earlier from the depths of his server room:
>> "Thank god I don't run Linux on any of my machines any more: I'm so glad
>> I switched them all to Windows XP today!"

Funny, but I think to describe it as a Linux problem underestimates the
reach of OpenSSL.

Seems it also runs on Windows, OpenVMS, and System i. Indeed about the
only place it isn't widespread is mobile, and client side browsers
(which is a good job, since client code is also vulnerable).

I'm assuming folk running Apache on Windows are using OpenSSL, and they
probably don't have people feverishly pushing them new builds lovingly
packaged.

Oh revoking your TLS keys and certs, and reissuing is cool, but you did
check which browsers will honour that first? :(

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
- From: Martijn Grooten

References:
- [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Martijn Grooten
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: bad apple
- Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
  - From: Martijn Grooten

Prev by Date: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Next by Date: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Previous by thread: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Next by thread: Re: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
Index(es):
- Date
- Thread