http://heartbleed.com/
Has everyone checked their systems, patched OpenSSL and revoked and re-issued their certificates?
Fun times, unless you lucked out with load balancers and SSL systems using different libraries..
It's an F'ing nightmare right now, all around
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL
meh. At least 10% of server's aren't even using
that!
Quote from: Darren Dirt on April 09, 2014, 03:21:14 PM
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL
meh. At least 10% of server's aren't even using that!
OpenSSL is a library used by both Apache and NGINX
http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html
Developer December 2013 Percent January 2014 Percent Change
Apache 355,244,900 41.26% 358,669,012 41.64% 0.38
Microsoft 241,777,723 28.08% 253,438,493 29.42% 1.34
nginx 126,485,204 14.69% 124,052,996 14.40% -0.29
Google 38,263,525 4.44% 21,280,639 2.47% -1.97That would be close to 55% of all webservers netcraft monitors.
Quote from: Lazybones on April 09, 2014, 04:34:06 PM
Quote from: Darren Dirt on April 09, 2014, 03:21:14 PM
Quote from: Lazybones on April 09, 2014, 02:34:54 PM
OpenSSL
meh. At least 10% of server's aren't even using that!
OpenSSL is a library used by both Apache and NGINX
http://news.netcraft.com/archives/2014/01/03/january-2014-web-server-survey.html
Developer December 2013 Percent January 2014 Percent Change
Apache 355,244,900 41.26% 358,669,012 41.64% 0.38
Microsoft 241,777,723 28.08% 253,438,493 29.42% 1.34
nginx 126,485,204 14.69% 124,052,996 14.40% -0.29
Google 38,263,525 4.44% 21,280,639 2.47% -1.97
That would be close to 55% of all webservers netcraft monitors.
Also a lot of systems with embedded webservers also use OpenSSL directly.
And here I thought the big news this week was going to be the ultimate XP exploit. This OpenSSL is all I've been seeing at NAIT and in the industry!
Yeah, I updated openssh and apache where needed... but I haven't felt like revoking and reinstalling my certs. especially if they make me pay for it again.
There is some debate as to if the keys even could be released. The leak is for released memory not active memory so in theory only after a powered on reboot or restart of services would a copy of the key be in the vulnerable memory space.
But for those of use doing business we can't take chances.
Indeed, those that actually care a ton about their job and business, you have to be proactive about this.
Sadly too many buisnesses won't bother. Its like with the XP update.
LastPass has released a completely inaccurate assessment tool to their users. I already avoided them, now I will be sure to boycott them..
http://blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html#comment-form
Quote from: Lazybones on April 10, 2014, 02:35:27 PM
LastPass has released a completely inaccurate assessment tool to their users.
Please explain... #curious
Quote from: Darren Dirt on April 10, 2014, 02:38:26 PM
Quote from: Lazybones on April 10, 2014, 02:35:27 PM
LastPass has released a completely inaccurate assessment tool to their users.
Please explain... #curious
This is what it returns to a user for my site (we fully patched and re-keyed yesterday.
Site:"yes, umm that is accurate"
Server software:Apache "yes"
Vulnerable:Likely (known use OpenSSL) "Um no, we patched before this tool went live, but other admins have reported back it doesn't check for vulerability or version, no indication when if they checked"
SSL Certificate:Unsafe (created 2 months ago) "No we re-keyed and reissued all certs.. However this does not change the issued date, the cert, signature and version number do change when re-keyed/reissued"
Assessment:Wait for the site to update before changing your password "Very safe, all done yesterday and verified"
Several mad admins in the comments also have pointed out the re-keying issue, one even said they don't even use OpenSSL, which is true for IIS and many web-servers and load balancers.
False positives ftw?
Don't need a web-based tool to say "just to be safe, we should presume we are probably vulnerable" you can just agree to presume the worst without needing a tool to do it for you ;)
Quote from: Darren Dirt on April 10, 2014, 02:56:36 PM
False positives ftw?
Don't need a web-based tool to say "just to be safe, we should presume we are probably vulnerable" you can just agree to presume the worst without needing a tool to do it for you ;)
LastPass users are also reporting that it is NOT flagging some sites that DID report being vulnerable. Thus it is both a false sense of security and a cause for unnecessary panic... So it generates a lot of smug user support tickets that is for sure.
Love that I just finished upgrading our VMware environment to 5.5, 70 systems, with our own CA, and its vulnerable... doh! Once VMware releases a patch I'llh ave to revoke all those CA Certs and reissue new ones after the patch. Too bad it requires a reboot for the chain to be fully utilized on the systems. Oh well maintenance mode for the win!
Quote from: Melbosa on April 10, 2014, 04:20:03 PM
Love that I just finished upgrading our VMware environment to 5.5, 70 systems, with our own CA, and its vulnerable... doh! Once VMware releases a patch I'llh ave to revoke all those CA Certs and reissue new ones after the patch. Too bad it requires a reboot for the chain to be fully utilized on the systems. Oh well maintenance mode for the win!
Oddly enough my upgrade to 5.5 delayed while validating backup software issues... Now I hope they release a patch soon so I can finished things without rolling out a vulnerable system
Heardbleed explained http://xkcd.com/1354/
Quote from: Lazybones on April 11, 2014, 08:01:26 AM
Heardbleed explained http://xkcd.com/1354/
That's an excellent explanation. Much better than what I heard them try to explain on 630 CHED yesterday.
Excellent, and TERRIFYING.
Also thanks for the timesink reminder; it's been a few months for me.
Now I have lunch time plans: try all paths of http://xkcd.com/1350/
Another one that is a little more verbose
http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work
Such a simple oversight.
A reporter has found the person who created the bug and talked to them - apparently he wasn't an inner-circle developer so his code had to go through review before being submitted. Neither he nor the reviewer caught it.
Or were both paid off by the NSA.
Quote from: Thorin on April 11, 2014, 01:28:45 PM
A reporter has found the person who created the bug and talked to them - apparently he wasn't an inner-circle developer so his code had to go through review before being submitted. Neither he nor the reviewer caught it.
Quote from: http://en.wikipedia.org/wiki/Heartbleed#Reaction
Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, has criticized the OpenSSL developers for explicitly circumventing OpenBSD C standard library exploit countermeasures, saying "OpenSSL is not developed by a responsible team."
The author of the bug, Robin Seggelmann,[32] stated that he "missed validating a variable containing a length" and denied any intention to submit a flawed implementation.[33]
[32]
http://www.smh.com.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet-20140411-zqtjj.html[33]
http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html
Quote from: Lazybones on April 09, 2014, 10:47:50 PM
There is some debate as to if the keys even could be released. The leak is for released memory not active memory so in theory only after a powered on reboot or restart of services would a copy of the key be in the vulnerable memory space.
Quote from: Tom on April 09, 2014, 10:40:33 PM
Yeah, I updated openssh and apache where needed... but I haven't felt like revoking and reinstalling my certs. especially if they make me pay for it again.
Turns out it is fully possible to get at the private key with enough requests. So yeah, it'd be a good idea to patch and reissue+revoke asap.
I just reissued+revoked the ssl cert on my mail server. Thankfully it was pretty easy. whether or not it matters that I'm using the same cert for postfix, dovecot, and apache (for roundcube) is another story.
All of our production stuff was patched , rekeyed and revoked right away.
Interestingly the revoke is not automatic for some CAs.
A few days have passed, but supposedly "about to get worse" -- truth? or fear-mongering?
http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/
Quote from: Darren Dirt on April 16, 2014, 09:40:47 AM
A few days have passed, but supposedly "about to get worse" -- truth? or fear-mongering?
http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/
http://news.netcraft.com/archives/2014/04/15/revoke-the-time-is-nigh.html
It seems that the majority of major sites have been doing the full process of patching, revoking and re-key/re-issue... For the internet as a whole it might not be too bad but there are some issues.
Some mobile browsers do not check revoke lists.
https://www.grc.com/revocation.htm
There are many mobile device / Android devices vulnerable and likely never to be patched
http://www.pcmag.com/article2/0,2817,2456507,00.asp
There are A LOT of internal systems that use SSL these days. I know of Phone systems.,SAN systems and Virtual Systems that are not yet patched. They are not directly internet accessible but present a risk.
You know, I hadn't realized, but the bug was introduced at 11:50pm on Dec 31, 2011. Seriously? Someone thought they should push through a code change ten minutes before New Year's??
Quote from: Thorin on April 16, 2014, 10:35:16 AM
You know, I hadn't realized, but the bug was introduced at 11:50pm on Dec 31, 2011. Seriously? Someone thought they should push through a code change ten minutes before New Year's??
Coders don't go to social parties. It was a low-impact risk ;)
[ insert HHGG scene* about intelligent geeks "they don't get invited to those kind of parties..." (http://www.urbandictionary.com/define.php?term=Infinite%20Improbability%20Drive) ]
* http://www.youtube.com/watch?v=nCf53ses22w
A lot of open source work happens during christmas/newyears holidays.
Apparently a prodigiously smart 19-year-old comp-sci "loner" was behind the CRA Heartbleed hacks?
http://www.torontosun.com/2014/04/16/charges-laid-in-heartbleed-hack-of-cra-site
Yeah sure. A lone gunman. whatevs.