Viewing 40 posts - 41 through 80 (of 88 total)
  • Singletrack vulnerable to heartbleed
  • Cougar
    Full Member

    You’re behind square one. If you change your password on a compromised site you’re giving it fresh credentials; ie, you’re *more* at risk.

    Jamie
    Free Member

    Well, like an ass, I was assuming the site had not been compromised yet. But you’re correct, if the site has already had it’s pants pulled down, and not been patched then…

    H1ghland3r
    Free Member

    This is where I am starting to see some resistance. I got intouch with my hosting provider asking if they were patched and whether they are recertifying and got quite a snitty response saying that updates were done on a daily basis, the OpenSSL vulnerablilty had been patched and that revoking the SSL certificate was not necessary.!

    This is where this could be a long running issue, any servers that do not recertify are essentially still open if their private key has been compromised. If that’s the case then the patch is useless and their systems are wide open. As I understand it even where the certificate expires and is renewed the problem may still exist. The certificate has to be revoked to close the hole..

    Fresh Goods Friday 696: The Middling Edition

    Fresh Goods Friday 696: The Middlin...
    Latest Singletrack Videos
    phinbob
    Full Member

    It’s not all sites out there mind, even those runing Apache/Nginx plenty are sat behind hardware load balancers (especially big, high throuput sites), which often use dedicated hardware, which usually isn’t vulnerable.

    H1ghland3r
    Free Member

    Could you elaborate.? I’m not sure exactly how a hardware load balancer would prevent this.?

    bearnecessities
    Full Member

    Paypal gift suddenly gallops from the back of the field as the most secure payment option.

    IanMunro
    Free Member

    I’m trying (and failing) to get a handle on the difference between potential leaks of data and guaranteed leaks of data.
    The stories talk about being able to download private keys along with usernames and passwords.
    As I understand, through a flaw you can download 64K chunks of data from the application.
    What I can’t seem to find out is –
    Are these addressable chunks, random chunks, or do they all have the same memory offset?
    Presumably the data memory downloadable is compiler dependent? (though I guess gcc does mem allocation in a fairly standard manner) So do all compilers / os / hardware platforms have the same vulnerable data in the same 64K segment?
    Or am I misunderstanding something?

    H1ghland3r
    Free Member

    Just typed out a huge explanatory post and realised that I was likely just going to make things more confusing..

    Look here for a decent technical explanation..

    http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

    H1ghland3r
    Free Member

    The upshot of it is, because of the nature of the bug, there is no way to know if or what has been stolen. Therefore you have to assume that EVERYTHING was stolen. Hence the calls for blanket revoking of SSL/TLS certificates and blanket changing of all passwords.

    As the man said.. ‘Nuke it from orbit, it’s the only way to be sure!!’

    Cougar
    Full Member

    Assuming the author can be trusted, the tweet on that explanation page is interesting.

    @neelmehta

    Heap allocation patterns make private key exposure unlikely for #heartbleed #dontpanic.

    Though,

    Neel Mehta has validated some of my concerns, but there are many reports of secret key discovery out there.

    H1ghland3r
    Free Member

    It is unlikely in most circumstances.
    You have to remember though that by running a relatively simple script someone could have been monitoring the contents of that memory basically constantly for the last 2 years.!! It’s not inconceivable to assume that the data collected in that time can be reconstructed to form critical data.

    The key here and the one that I hope sites are going to take to heart is that there is no way to know what might have been taken. However unlikely, they are going to have to assume that the keys to the kingdom have been copied and respond accordingly.

    footflaps
    Full Member

    Probably find the whole thing was a bug added by the NSA and they’ve been leaching data for years……

    H1ghland3r
    Free Member

    Interesting you should say that. OpenSSL is open source software and one of the key advantages of such is supposed to be that things like this don’t happen due to the peer review like process that the code goes through. Given what everyone has been assuming about open source software for many years there has to be some serious questions asked about how it is written and maintained in mission critical situations. I can only imagine what kind of gleeful meetings they are having at Microsoft today. Their server infrastructure business might just have gotten a massive boost.

    footflaps
    Full Member

    Nothing to stop the NSA anonymously checking in code to OS projects. They pretty much ran one of the encryption standards bodies and rigged one of the random number gens.

    IanMunro
    Free Member

    Look here for a decent technical explanation..

    http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

    Thanks!

    H1ghland3r
    Free Member

    Nothing at all.. but in theory they should be prevented from checking in malicious code as it would be spotted by other coders who look at it and figure out what they were up to.. Clearly something that isn’t working as well as it should in this case.

    Oh and you are very welcome Ian. 🙂

    CaptainSlow
    Full Member

    My understanding is patching and new cents are required. I don’t see how sticking an LB in front helps. Sure the LB depending on OpenSSL version itself may not be vulnerable but what’s behind it is.
    Happy to be corrected by someone more geeky 🙂

    Don’t see the point in changing passwords until it’s verified all aspects of the vulnerability are removed.

    H1ghland3r
    Free Member

    In actual fact, changin passwords before the site is patched and certificate re-issued could actually make you MORE vulnerable. If the site is being monitored this way then you logging in to change your password makes you more likely to be caught than by simply staying away until it’s fixed.. Basically everyone needs to unplug and go for a ride for a day or two until this is fixed..

    CaptainSlow
    Full Member

    +1 and the most sense I’ve heard all day

    Tom
    Free Member

    if the issue date is before 7/4/2014 then the site cannot be considered safe

    My understanding is that certificates are often reissued with the original issue date.

    H1ghland3r
    Free Member

    My understanding is that this is possible but is not the default way it works.
    Yahoo for example has had a new certificate issued that started yesterday. I’m not up to speed with the way certificates are issued but I believe it may need to be issued as a new certificate because the private key needs to be regenerated, a standard re-issue of a cert would not regenerate this key. Seeing as the key is what’s been stolen potentially, getting a new cert issued without a new key is totally pointless.

    Please note I could be wrong on that point. However getting keys re-issued with the original start date is hardly going to help rebuild shattered confidence. I’d have thought affected sites would be trumpeting about their shiny new, secure certificate.

    dh
    Free Member

    captainslow – depending on the load balancer config, that will normally terminate the ssl connection first then start the connection to the next destination, using its implementation of ssl (perhaps it is openssl or not), sometimes offloading the calculations to dedicated hardware cards.

    e.g. my citrix load balancers run openssl, but dont run the affected versions (slightly older) so its all a-ok for me.

    Where are all the open-source zealots today? 😯

    oh if you have cisco read this: cisco

    vsphere this

    Its just a ploy for us to take our eyes of the XP systems that will be getting pwoned today of course.

    H1ghland3r
    Free Member

    😆

    If you believe the speculation, pwoned is an understatement. The theory is that the hacker groups have been saving up all the undocumented exploits, security holes and bugs in XP until today. Now that Microsoft has washed their hands of it, it’s open season.!!

    dh
    Free Member

    yup – theory. where are they all then?

    Jamie
    Free Member

    The first of many I assume.

    CaptainSlow
    Full Member

    Thx dh

    dh
    Free Member

    well if you use strava you certainly might be asking questions…

    too busy with KOMs strava admin team?

    boxelder
    Full Member

    I feel old………

    H1ghland3r
    Free Member

    Here’s another one.. glad to see that at least some sites are attacking this headon..

    Wunderlist

    H1ghland3r
    Free Member

    Not sure if this makes it better or worse but it looks like there is some evidence that the bug has been exploited for at least several months… Better, because it looks like it may be possible to identify an attack (assuming you were logging to the right level), much much worse because it means that it was a known exploit in the community and has been used in anger.!!

    Heartbleed may have been exploited

    phinbob
    Full Member

    @Highlander -sorry been busy.

    Most times if you’re using a hardware (or ‘clever’ software) load balancer, you’re going to terminate SSL on that device. While some lower end devices might use OpenSSL, the bigger payers will have something like a Cavium Nitrox SSL processing chip, which won’t be vulnerable to this attack (but might be to others, of course). Better software load balancers might have a different proprietary stack also.

    Often,the range of ciphers supported by hardware is smaller than OpenSSl so it’s possible if the device is configured away from the default that it might fall back to OpenSSL, which could be a vulnerable version.

    However, I’d say that in general sites which are using high end Application Delivery Controllers (posh load balancers) are less likely to be vulnerable to this and other TLS based attacks.

    Sandwich
    Full Member

    It would appear that both ebay and PayPal still have old certificates in place.

    On a work related note I’m in for some headaches today.

    Tom
    Free Member

    There is some useful information about certificate issue dates here:
    https://news.ycombinator.com/item?id=7563095

    Our Digicert cert has been revoked, rekeyed, and reissued, retaining the original date. There are some other high profile sites who were previously vulnerable, and must surely have revoked and rekeyed, but have retained old issue dates. Lastpass.eu and stackoverflow for example.

    torsoinalake
    Free Member

    I’m looking forward to work today. There’s going to be more dancing around the issue than a Michael Flately production.

    wwaswas
    Full Member

    One thing to bear in mind that this is going to give the people who email you fake ‘reset your password and give us your bank details’ emails a field day. Everyone will believe they are genuine.

    If you’re going to reset your password as a result of an email notification type the url into a browser, don’t follow a link.

    CaptainSlow
    Full Member

    Easy way to test whether sites of interest are potentially at risk

    https://www.ssllabs.com/ssltest/

    rj2dj
    Free Member

    If you’re like me and have a passing interest into the background of this, but struggle to understand all the connected elements, I thought this was quite a good “plain-English” explanation of what has happened:

    http://www.newyorker.com/online/blogs/elements/2014/04/the-internets-telltale-heartbleed.html

    dangerousbeans
    Free Member

    I am still getting a security warning when logging into STW –

    Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

    Are you sure you want to continue sending this information?

    Never used to get this until the past week or so. Not computer savvy really. Is this related to the current problem or something else?

    nedrapier
    Full Member

    Thanks, rj2dj, good article.

    torsoinalake
    Free Member

    As expected. Apparently our VPN having the vulnerability is ‘not a big deal’.

    🙄

Viewing 40 posts - 41 through 80 (of 88 total)

The topic ‘Singletrack vulnerable to heartbleed’ is closed to new replies.