THESE FORUMS NOW CLOSED (read only)

  • 03 Oct 2024, 07:26
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Particularly nasty OpenSSL vulnerability  (Read 4757 times)

bhtooefr

  • Older than Moses
  • *****
  • Offline Offline
  • Posts: 4,180
  • ⌘-⌥-⌃-N
Particularly nasty OpenSSL vulnerability
« on: 08 Apr 2014, 04:51 »

In case anyone hasn't heard about this yet: http://heartbleed.com

In other words: THE WORLD IS ENDING. Or, time to update/recompile OpenSSL on any affected machines, and then change any passwords used by processes that use the affected OpenSSL for TLS, revoke all certificates used with said processes (because private keys may have leaked), and get new ones.

And you thought this week's only infosec nightmare was going to be XP's end of life.
Logged

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Particularly nasty OpenSSL vulnerability
« Reply #1 on: 08 Apr 2014, 05:24 »

It's impossible to get onto the OpenSSL site at present.

My SSL server at home isn't OpenSSL, and my OpenBSD firewall has a version that is not vulnerable.
EDIT: Oops - mixing up SSH and SSL here; just a brain-fart.
« Last Edit: 08 Apr 2014, 06:23 by pwhodges »
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

snalin

  • Vulcan 3-D Chess Master
  • *****
  • Offline Offline
  • Posts: 3,540
  • You may Baste me
Re: Particularly nasty OpenSSL vulnerability
« Reply #2 on: 08 Apr 2014, 05:36 »

Wait, does this mean that ssh keys are compromised?

Fuuuuuu
Logged
I am a cowboy / on a steel horse I ride
I am wanted / Dead or alive

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Particularly nasty OpenSSL vulnerability
« Reply #3 on: 08 Apr 2014, 05:46 »

May be - and there's no way to tell if it happened.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

ankhtahr

  • GET ON THE NIGHT TRAIN
  • *****
  • Offline Offline
  • Posts: 2,700
  • A hacker spathe night owl
Re: Particularly nasty OpenSSL vulnerability
« Reply #4 on: 08 Apr 2014, 06:15 »

SSL, not SSH. SSH in the default configuration doesn't use SSL. It uses RSA or DSA keys for authentification and AES for transport. But if you operate a server which offers SSL encrypted services, like HTTPS, IMAP, SMTP, XMPP, Mumble and so on, you'll need a new certificate, because the private key might have been compromised.
Logged
Quote from: Terry Pratchett
He had the look of a lawn mower just after the grass had organised a workers' collective.

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Particularly nasty OpenSSL vulnerability
« Reply #5 on: 08 Apr 2014, 06:21 »

Oops, a brain-fart there.  I don't have any SSL-encrypted servers.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Particularly nasty OpenSSL vulnerability
« Reply #6 on: 08 Apr 2014, 15:07 »

A good description of the bug in the code:

[uel]http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html[/url]

Note this at the end:

Quote
> What can we learn from this?
 
I'm a fan of C. It was my first programming language and it was the first language I felt comfortable using professionally. But I see its limitations more clearly now than I have ever before.
 
Between this and the GnuTLS bug, I think that we need to do three things:

1. Pay money for security audits of critical security infrastructure like OpenSSL
2. Write lots of unit and integration tests for these libraries
3. Start writing alternatives in safer languages

Given how difficult it is to write safe C, I don't see any other options. I would donate to this effort. Would you?

I'm one of those who's been saying item 3 of that list for decades now; when I was in charge of programming for a medical system in the late 80s, I changed the language used to Modula-2, compiled with full array index checking.
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )

snalin

  • Vulcan 3-D Chess Master
  • *****
  • Offline Offline
  • Posts: 3,540
  • You may Baste me
Re: Particularly nasty OpenSSL vulnerability
« Reply #7 on: 08 Apr 2014, 18:25 »

What "safer languages" should we write these things in, though? Don't get me wrong, I hate C with a passion, but C++ opens for the same bullshit errors you get from free memory access, and Java just continues to have security hole after security hole exposed. There's a lot of fresher languages that's popular, but you're not sure if they're going to be around in a big enough way in five years that you want to build your security on them - you'll just end up with having to redo everything when interest in maintenance dries up.

C# is too Microsoft for the open source world to accept solutions implemented on it, Python has the whole version 2/3 issue that's still not really resolved. Ruby? Perl?

People stick to C because it's universally agreed on as being the best at what it does, which is kinda unique in the language world. It's still horrible, but low level stuff is inherently horrible. While this problem would have been solved if you'd had built-in index checking. It would also be solved if you were using a language that didn't just... give you stuff randomly from the memory when you go out of bounds. On the other hand, it would also have been fixed by someone writing a really, really basic unit test. "What happens when you supply data outside the expected bounds" is a common unit test, and somebody fucked up big to let that through without having it in place.
Logged
I am a cowboy / on a steel horse I ride
I am wanted / Dead or alive

pwhodges

  • Admin emeritus
  • Awakened
  • *
  • Offline Offline
  • Posts: 17,241
  • I'll only say this once...
    • My home page
Re: Particularly nasty OpenSSL vulnerability
« Reply #8 on: 09 Apr 2014, 01:03 »

Nearly 50 years ago Algol-68 was designed so that bounds could be rigorously checked automatically even in dynamically-sized arrays.  At the time it didn't catch on simply because people placed performance over security, and preferred not to have checking code compiled in.  That mind-set has continued to this day, even though program design has a bigger impact on overall performance than code details like that; and so since then languages have even been designed without the safety features that people were going to disable anyway.  We reap what we sow.

The impact of this might not be quite as large as some people have been implying, though bad enough:

https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

Here's a test tool (currently overloaded):

http://possible.lv/tools/hb/

As so often in XKCD, it's the roll-over text that has the best bits.
« Last Edit: 09 Apr 2014, 03:59 by pwhodges »
Logged
"Being human, having your health; that's what's important."  (from: Magical Shopping Arcade Abenobashi )
"As long as we're all living, and as long as we're all having fun, that should do it, right?"  (from: The Eccentric Family )
Pages: [1]   Go Up