Xann Posted April 12, 2014 Share Posted April 12, 2014 (edited) A software bug that has gone unnoticed for two years has exposed sensitive data in as many as two out of every three web servers, say researchers. Clicky Edited April 12, 2014 by Xann Link to comment Share on other sites More sharing options...
limpid Posted April 12, 2014 Administrator Share Posted April 12, 2014 It doesn't affect any sites I look after. More luck than judgement though. Link to comment Share on other sites More sharing options...
Tegis Posted April 12, 2014 VT Supporter Share Posted April 12, 2014 It doesn't affect any sites I look after. More luck than judgement though. I had one owncloud server affected. Not good Link to comment Share on other sites More sharing options...
limpid Posted April 12, 2014 Administrator Share Posted April 12, 2014 Have Microsoft patched it yet? Hopefully there are no web sites still running on xp. Link to comment Share on other sites More sharing options...
Tegis Posted April 12, 2014 VT Supporter Share Posted April 12, 2014 Have Microsoft patched it yet? Hopefully there are no web sites still running on xp. Their implementation isn't affected, that said, running the server 2003/xp version of IIS is not exactly secure to put it mildly Link to comment Share on other sites More sharing options...
islingtonclaret Posted April 12, 2014 Share Posted April 12, 2014 I don't get why Microsoft would patch it? I assumed openSSL was entirely open source....so it is 'patched' in that Microsoft take the fixed build of openSSL directly off them and rerelease the module for IIS? - assuming it is "a module", I'm an Apache man, and to be honest haven't needed to use openSSL for anything I've authored. ...yet! Link to comment Share on other sites More sharing options...
vandaq Posted April 12, 2014 Share Posted April 12, 2014 The sites needs to patch it themselves. Link to comment Share on other sites More sharing options...
Tegis Posted April 12, 2014 VT Supporter Share Posted April 12, 2014 I don't get why Microsoft would patch it? I assumed openSSL was entirely open source....so it is 'patched' in that Microsoft take the fixed build of openSSL directly off them and rerelease the module for IIS? - assuming it is "a module", I'm an Apache man, and to be honest haven't needed to use openSSL for anything I've authored. ...yet! Microsoft don't use open-ssl. They have their own TLS implementation they call SChannel. Same shit, different name, but not open source so one has to rely on Microsoft to patch it. Heartbleed does not affect SChannel. Link to comment Share on other sites More sharing options...
islingtonclaret Posted April 12, 2014 Share Posted April 12, 2014 Thanks for the heads up! Link to comment Share on other sites More sharing options...
limpid Posted April 12, 2014 Administrator Share Posted April 12, 2014 Microsoft don't use open-ssl. They have their own TLS implementation they call SChannel. Same shit, different name, but not open source so one has to rely on Microsoft to patch it. Heartbleed does not affect SChannel. I'm sure at least two of the reports I read said that some MS stuff was affected. Perhaps they were speculating. It's unlikely MS would have written their own TLS code, but it's probably forked from something BSD-like rather than OpenSSL due to the licencing. Link to comment Share on other sites More sharing options...
Tegis Posted April 12, 2014 VT Supporter Share Posted April 12, 2014 I've read about sites, I think it was stack overflow, using nginx as frontends to IIS, thus affecting them. As for where Schannel came from, I haven't got a scooby Link to comment Share on other sites More sharing options...
leviramsey Posted April 13, 2014 VT Supporter Share Posted April 13, 2014 Microsoft don't use open-ssl. They have their own TLS implementation they call SChannel. Same shit, different name, but not open source so one has to rely on Microsoft to patch it. Heartbleed does not affect SChannel.I'm sure at least two of the reports I read said that some MS stuff was affected. Perhaps they were speculating. It's unlikely MS would have written their own TLS code, but it's probably forked from something BSD-like rather than OpenSSL due to the licencing.OpenSSL is 4-clause BSD and Apache 1.0 licensed (so GPL-incompatible, but permissive open source).Have Microsoft patched it yet? Hopefully there are no web sites still running on xp.I doubt MS would have backported c.2011 feature upgrades to XP. Link to comment Share on other sites More sharing options...
leviramsey Posted April 13, 2014 VT Supporter Share Posted April 13, 2014 Check if your browser properly handles revoked SSL certificates Basically: sites using OpenSSL should be revoking their old certificates now and your browser should, when presented with a revoked certificate, either point blank refuse to load the page or at minimum warn about a revoked certificate before proceeding. If your browser instead shows something like: then your browser will blithely let any hacker steal any personal information (passwords, bank account details, etc....), and you should probably stop using that browser for any site that uses SSL (regardless of whether the site was vulnerable to Heartbleed). NB: Apparently *all* iOS browsers rely on an Apple TLS library which does not handle certificate revocation (so I would suspect that all iOS apps that authenticate, such as online banking or other account management apps, are compromisable) Link to comment Share on other sites More sharing options...
leviramsey Posted April 13, 2014 VT Supporter Share Posted April 13, 2014 On my CM10.2 phone, the only browser that passes is Opera Classic (don't have Chrome, but Opera Beta is Chrome-based). Link to comment Share on other sites More sharing options...
Davkaus Posted April 13, 2014 Share Posted April 13, 2014 On my CM10.2 phone, the only browser that passes is Opera Classic (don't have Chrome, but Opera Beta is Chrome-based). Did you try Firefox? It seems to behave correctly for me. Link to comment Share on other sites More sharing options...
leviramsey Posted April 13, 2014 VT Supporter Share Posted April 13, 2014 Don't have Firefox on mobile either, so if that passes, then add it to the list.On desktop so far, I've tested Chrome and IE11 (Win7)... both pass. Link to comment Share on other sites More sharing options...
darrenm Posted April 13, 2014 Share Posted April 13, 2014 It deserves nowhere near the panic it's getting. Yes it allows some SSL state stuff to be sniffed by others but there's no evidence that anyone knew about it or used it before it was disclosed. This guy summed it up perfectly: Any half decent system on any service will have a flag against the account to force a password change on next login, so it's a piece of cake to turn that flag on across all users and send a mass email. However, whether you want to do that as a company is more a matter of PR than one of security. As an individual user, my recommendation would be, although too much caution never hurts, there is no need to go and change your passwords unless the service you're using has asked you to. Because: -We forget that not all systems use OpenSSL for HTTPS. Yes, a lot do, hence the big deal, but not all. -For your own account to be at risk, someone needs to have exploited the vulnerability before it was patched (records show it was potentially being exploited as far back as november), targetting the service in question over a period of time where you logged in, and got your cookies. You have to see it from the point of view of the attacker - once you've got a backdoor of that nature, and a golden time before it is known about and patched, which services are you going to target? -An attacker would have to get your password from an intercepted request or cookie. Secure cookies never contain plaintext passwords (it's not built in, but more of a baseline good practice in security architecture). Some advanced auth exchanges will also perform a one-off hash or encryption of the cookie in the request it is submitted, which means that the attacker is left with something that they'll have to work on. They can still get the password, but how likely they are to do that depends on the amount of energy they're willing to invest and the strength of your password. - The one thing no one mentions but is more concerning is that heartbleed potentially give access to information that is confidential, but is not subject to the same level of security as passwords - typically, email addresses, postal addresses, date of birth, etc. And that, well, is difficult to change. So, you know... Feel free to be over-cautious and change your passwords everywhere... But from a techie's perspective, it would be nice if the muggles could stop wigging out thinking it's the end of the world without understanding the realities of it. If a company doesn't ask you to change your password, believe me, it's safe to say you probably don't need to. If they do, it's extremely likely they're doing it to re-assure the very kind of people who feel the way you do about it, and not because there is an actual likelihood (or indeed has been a known breach - an attack exploiting HB will often leave a characteristic log trail) that your account has been compromised. Oh, and two-thirds of secure web-services affected, but you think Teh H4xX0rs are going to be after your TV streaming account? Cute ;-) </Lecture> from your friendly neighborhood nerd. Link to comment Share on other sites More sharing options...
leviramsey Posted April 13, 2014 VT Supporter Share Posted April 13, 2014 Certificate theft is the bigger issue than session hijack. 1 Link to comment Share on other sites More sharing options...
Recommended Posts