Jump to content
Just visiting?

Heartbleed - Internet Insecure For Past [2 Years

Xann

By Xann
in Tech Room

 Share

Recommended Posts

Xann Grand Master

Xann

Posted
Posted (edited)

A software bug that has gone unnoticed for two years has exposed sensitive data in as many as two out of every three web servers, say researchers.

 

Clicky

Edited by Xann
Link to comment
Share on other sites
Tegis Grand Master

Tegis

Posted
  • VT Supporter
Posted

Have Microsoft patched it yet? Hopefully there are no web sites still running on xp.

 

Their implementation isn't affected, that said, running the server 2003/xp version of IIS is not exactly secure to put it mildly :)

Link to comment
Share on other sites
islingtonclaret Explorer

islingtonclaret

Posted
Posted

I don't get why Microsoft would patch it? I assumed openSSL was entirely open source....so it is 'patched' in that Microsoft take the fixed build of openSSL directly off them and rerelease the module for IIS? - assuming it is "a module", I'm an Apache man, and to be honest haven't needed to use openSSL for anything I've authored.

 

 

...yet!

Link to comment
Share on other sites
Tegis Grand Master

Tegis

Posted
  • VT Supporter
Posted

I don't get why Microsoft would patch it? I assumed openSSL was entirely open source....so it is 'patched' in that Microsoft take the fixed build of openSSL directly off them and rerelease the module for IIS? - assuming it is "a module", I'm an Apache man, and to be honest haven't needed to use openSSL for anything I've authored.

 

 

...yet!

 

Microsoft don't use open-ssl. They have their own TLS implementation they call SChannel. Same shit, different name, but not open source so one has to rely on Microsoft to patch it. Heartbleed does not affect SChannel.

Link to comment
Share on other sites
limpid Grand Master

limpid

Posted
  • Administrator
Posted

Microsoft don't use open-ssl. They have their own TLS implementation they call SChannel. Same shit, different name, but not open source so one has to rely on Microsoft to patch it. Heartbleed does not affect SChannel.

I'm sure at least two of the reports I read said that some MS stuff was affected. Perhaps they were speculating. It's unlikely MS would have written their own TLS code, but it's probably forked from something BSD-like rather than OpenSSL due to the licencing.

Link to comment
Share on other sites
Tegis Grand Master

Tegis

Posted
  • VT Supporter
Posted

I've read about sites, I think it was stack overflow, using nginx as frontends to IIS, thus affecting them.

 

As for where Schannel came from, I haven't got a scooby :)

Link to comment
Share on other sites
leviramsey Enthusiast

leviramsey

Posted
  • VT Supporter
Posted

Microsoft don't use open-ssl. They have their own TLS implementation they call SChannel. Same shit, different name, but not open source so one has to rely on Microsoft to patch it. Heartbleed does not affect SChannel.

I'm sure at least two of the reports I read said that some MS stuff was affected. Perhaps they were speculating. It's unlikely MS would have written their own TLS code, but it's probably forked from something BSD-like rather than OpenSSL due to the licencing.

OpenSSL is 4-clause BSD and Apache 1.0 licensed (so GPL-incompatible, but permissive open source).

Have Microsoft patched it yet? Hopefully there are no web sites still running on xp.

I doubt MS would have backported c.2011 feature upgrades to XP.

Link to comment
Share on other sites
leviramsey Enthusiast

leviramsey

Posted
  • VT Supporter
Posted

Check if your browser properly handles revoked SSL certificates

Basically: sites using OpenSSL should be revoking their old certificates now and your browser should, when presented with a revoked certificate, either point blank refuse to load the page or at minimum warn about a revoked certificate before proceeding.

If your browser instead shows something like:

Skitch.png

then your browser will blithely let any hacker steal any personal information (passwords, bank account details, etc....), and you should probably stop using that browser for any site that uses SSL (regardless of whether the site was vulnerable to Heartbleed).

NB: Apparently *all* iOS browsers rely on an Apple TLS library which does not handle certificate revocation (so I would suspect that all iOS apps that authenticate, such as online banking or other account management apps, are compromisable)

Link to comment
Share on other sites
Davkaus Grand Master

Davkaus

Posted
Posted

On my CM10.2 phone, the only browser that passes is Opera Classic (don't have Chrome, but Opera Beta is Chrome-based).

 

 

Did you try Firefox? It seems to behave correctly for me.

Link to comment
Share on other sites
darrenm Rising Star

darrenm

Posted
Posted

It deserves nowhere near the panic it's getting. Yes it allows some SSL state stuff to be sniffed by others but there's no evidence that anyone knew about it or used it before it was disclosed. This guy summed it up perfectly:

 

Any half decent system on any service will have a flag against the account to force a password change on next login, so it's a piece of cake to turn that flag on across all users and send a mass email.

However, whether you want to do that as a company is more a matter of PR than one of security.

As an individual user, my recommendation would be, although too much caution never hurts, there is no need to go and change your passwords unless the service you're using has asked you to.

Because:

-We forget that not all systems use OpenSSL for HTTPS. Yes, a lot do, hence the big deal, but not all.

-For your own account to be at risk, someone needs to have exploited the vulnerability before it was patched (records show it was potentially being exploited as far back as november), targetting the service in question over a period of time where you logged in, and got your cookies. You have to see it from the point of view of the attacker - once you've got a backdoor of that nature, and a golden time before it is known about and patched, which services are you going to target?

-An attacker would have to get your password from an intercepted request or cookie. Secure cookies never contain plaintext passwords (it's not built in, but more of a baseline good practice in security architecture). Some advanced auth exchanges will also perform a one-off hash or encryption of the cookie in the request it is submitted, which means that the attacker is left with something that they'll have to work on. They can still get the password, but how likely they are to do that depends on the amount of energy they're willing to invest and the strength of your password.

- The one thing no one mentions but is more concerning is that heartbleed potentially give access to information that is confidential, but is not subject to the same level of security as passwords - typically, email addresses, postal addresses, date of birth, etc. And that, well, is difficult to change.

So, you know... Feel free to be over-cautious and change your passwords everywhere...

But from a techie's perspective, it would be nice if the muggles could stop wigging out thinking it's the end of the world without understanding the realities of it.

If a company doesn't ask you to change your password, believe me, it's safe to say you probably don't need to. If they do, it's extremely likely they're doing it to re-assure the very kind of people who feel the way you do about it, and not because there is an actual likelihood (or indeed has been a known breach - an attack exploiting HB will often leave a characteristic log trail) that your account has been compromised.

Oh, and two-thirds of secure web-services affected, but you think Teh H4xX0rs are going to be after your TV streaming account? Cute ;-)

</Lecture> from your friendly neighborhood nerd.

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...
Â