heartbleed nothing like a major exploit to spoil your week.

[Lazybones]

Love that I just finished upgrading our VMware environment to 5.5, 70 systems, with our own CA, and its vulnerable... doh!  Once VMware releases a patch I'llh ave to revoke all those CA Certs and reissue new ones after the patch.  Too bad it requires a reboot for the chain to be fully utilized on the systems.  Oh well maintenance mode for the win!

Oddly enough my upgrade to 5.5 delayed while validating backup software issues... Now I hope they release a patch soon so I can finished things without rolling out a vulnerable system

[Lazybones]

Heardbleed explained http://xkcd.com/1354/

[Thorin]

Heardbleed explained http://xkcd.com/1354/

That's an excellent explanation.  Much better than what I heard them try to explain on 630 CHED yesterday.

[Darren Dirt]

Excellent, and TERRIFYING.


Also thanks for the timesink reminder; it's been a few months for me.
Now I have lunch time plans: try all paths of http://xkcd.com/1350/

[Lazybones]

Another one that is a little more verbose

http://www.vox.com/cards/heartbleed/how-does-the-heartbleed-attack-work

[Thorin]

Such a simple oversight.

A reporter has found the person who created the bug and talked to them - apparently he wasn't an inner-circle developer so his code had to go through review before being submitted.  Neither he nor the reviewer caught it.

Or were both paid off by the NSA.

[Darren Dirt]

A reporter has found the person who created the bug and talked to them - apparently he wasn't an inner-circle developer so his code had to go through review before being submitted.  Neither he nor the reviewer caught it.

Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, has criticized the OpenSSL developers for explicitly circumventing OpenBSD C standard library exploit countermeasures, saying "OpenSSL is not developed by a responsible team."

The author of the bug, Robin Seggelmann,[32] stated that he "missed validating a variable containing a length" and denied any intention to submit a flawed implementation.[33]

[32] http://www.smh.com.au/it-pro/security-it/who-is-robin-seggelmann-and-did-his-heartbleed-break-the-internet-20140411-zqtjj.html

[33] http://www.smh.com.au/it-pro/security-it/man-who-introduced-serious-heartbleed-security-flaw-denies-he-inserted-it-deliberately-20140410-zqta1.html

[Tom]

There is some debate as to if the keys even could be released. The leak is for released memory not active memory so in theory only after a powered on reboot or restart of services would a copy of the key be in the vulnerable memory space.

Yeah, I updated openssh and apache where needed... but I haven't felt like revoking and reinstalling my certs. especially if they make me pay for it again.

Turns out it is fully possible to get at the private key with enough requests. So yeah, it'd be a good idea to patch and reissue+revoke asap.

I just reissued+revoked the ssl cert on my mail server. Thankfully it was pretty easy. whether or not it matters that I'm using the same cert for postfix, dovecot, and apache (for roundcube) is another story.

[Lazybones]

All of our production stuff was patched , rekeyed and revoked right away.

Interestingly the revoke is not automatic for some CAs.

[Darren Dirt]

A few days have passed, but supposedly "about to get worse" -- truth? or fear-mongering?
http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/

[Lazybones]

A few days have passed, but supposedly "about to get worse" -- truth? or fear-mongering?
http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/14/heartbleed-is-about-to-get-worse-and-it-will-slow-the-internet-to-a-crawl/

http://news.netcraft.com/archives/2014/04/15/revoke-the-time-is-nigh.html

It seems that the majority of major sites have been doing the full process of patching, revoking and re-key/re-issue... For the internet as a whole it might not be too bad but there are some issues.

Some mobile browsers do not check revoke lists.
https://www.grc.com/revocation.htm

There are many mobile device  / Android devices vulnerable and likely never to be patched
http://www.pcmag.com/article2/0,2817,2456507,00.asp


There are A LOT of internal systems that use SSL these days. I know of Phone systems.,SAN systems and Virtual Systems that are not yet patched. They are not directly internet accessible but present a risk.

[Thorin]

You know, I hadn't realized, but the bug was introduced at 11:50pm on Dec 31, 2011.  Seriously?  Someone thought they should push through a code change ten minutes before New Year's??

[Darren Dirt]

You know, I hadn't realized, but the bug was introduced at 11:50pm on Dec 31, 2011.  Seriously?  Someone thought they should push through a code change ten minutes before New Year's??

Coders don't go to social parties. It was a low-impact risk

[ insert HHGG scene* about intelligent geeks "they don't get invited to those kind of parties..." ]
* http://www.youtube.com/watch?v=nCf53ses22w

[Tom]

A lot of open source work happens during christmas/newyears holidays.

[Darren Dirt]

Apparently a prodigiously smart 19-year-old comp-sci "loner" was behind the CRA Heartbleed hacks?
http://www.torontosun.com/2014/04/16/charges-laid-in-heartbleed-hack-of-cra-site

Yeah sure. A lone gunman. whatevs.