Heartbleed: Serious OpenSSL zero day vulnerability revealed

Heartbleed bug fixes threaten to cause major Internet disruptions in coming weeks

Published: April 14 , The Washington Post

"Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of Web sites at the same time, security experts say.

Estimates of the severity of the bug’s damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake Web sites that mimic legitimate ones to trick consumers into handing over valuable personal information....

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the “security certificates” that verify that a Web site is authentic — could overwhelm the systems designed to keep the Internet trustworthy....

By some estimates, the bug affected as much as two-thirds of the Internet;...

Stealing the certificate is labor intensive. Indutny’s attempt involved making 2.5 million requests of the CloudFlare server before he finally obtained the key. But what was thought to be impossible now turns out to be doable. Web sites can indeed be tricked into giving up their identity papers, and those papers can be reused by malicious actors....

Changing your passwords will not protect you if you give them unwittingly to a hacker pretending to be your Web mail provider....

In the days after Heartbleed was revealed, many Web sites raced to update their systems. Those fixes plugged the immediate hole so hackers could no longer take advantage of the vulnerability. But in light of this latest discovery, many sites still appear to be vulnerable; an attacker could have used Heartbleed to steal a site’s valid security keys anytime before the site patched its systems.

The next step, experts say, is for all 500,000 affected sites — from mom-and-pop retailers to big conglomerates — to revoke their security certificates and issue new ones.

But as necessary as that process is, it could have dramatic consequences for Web users’ everyday experiences....

But the Heartbleed exploit now requires hundreds of thousands of sites to add their certificates to the list, practically overnight. The certificate revocation lists will become bloated with new entries. And browsers will continue to download the now-massive files, according to Paul Mutton, a security consultant at the Web services company Netcraft. Checking a site’s identity will take vastly longer.

“If a certificate authority has to revoke 10,000 certificates, that entry will have 10,000 certificates on it,” Mutton said. “And if browsers have to download that . . . we’re talking hundreds of megabytes.”...

It’s roughly the equivalent of having to download 30 minutes’ worth of standard-definition video just to view a single Web page....

many sites are unaware they need to reissue their certificates or are delaying doing so....

Healey, of the Atlantic Council, said Web security firms are left with two distasteful options. The first option is to flood the Internet’s security infrastructure with tens of thousands of revoked keys per day and risk slowing down the Web in exchange for greater security. The second option is not much better."

Full Story Here : http://www.washingtonpost.com/busin...405-11e3-b574-f8748871856a_story.html?hpid=z1

 

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

http://www.bloomberg.com/news/2014-...e-used-heartbleed-bug-exposing-consumers.html

 

V1.6.4 fixed: http://blog.qupzilla.com/2014/04/qupzilla-164-released.html

 

Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab

http://www.networkworld.com/news/2014/041514-heartbleed-bug-irritating-280721.html

 

Why you should expect your favorite websites to crash over the next few weeks.

-- Tom

 

Tor project Loses 12% of Entry/Exit Bandwidth Because of Heartbleed.

-- Tom

 

Successful private key extraction from OpenVPN using Heartbleed.

-- Tom

 

Can Heartbleed be used in DDoS attacks?

http://www.cso.com.au/article/543106/can_heartbleed_used_ddos_attacks_/

 

Heartbleed hacker arrested, charged in connection to malicious bug exploit | Ars Technica​

 

Another Firefox add-on: Heartbleed-Ext 3.0

The Heartbleed SSL vulnerability presents significant concerns for users and major
challenges for site operators. Want to be DETECT websites that are vulnerable install
this plug-in and GREEN is GOOD, RED is BAD

This add-on has been preliminarily reviewed by Mozilla.


Note: This addon is not compatible with Pale Moon 24.4.2

 

This Calendar of Updates domain appears to be vulnerable to the Heartbleed bug:

http://www.calendarofupdates.com/updates/index.php?app=calendar

 

Bugs in Heartbleed detection scripts
http://www.hut3.net/blog/cns---networks-security/2014/04/14/bugs-in-heartbleed-detection-scripts-

care of:

OpenSSL Heartbleed sniff tools may give FALSE READINGS
http://www.theregister.co.uk/2014/04/17/heartbleed_detection_glitches/

 

Not only that, the Netcraft browser extension apparently sends visited URLs over plain HTTP.

 

This link also has a nice list of Heartbleed detection programs and web apps.

 

By Kim Zetter:

Heartbleed Bug Sends Bandwidth Costs Skyrocketing | Threat Level | WIRED

 

Netcraft browser extension now has Heartbleed indicator

 

Certificate revocation and browsers (browser instructions in post #15)

 

http://blog.sucuri.net/2014/04/heartbleed-in-the-wild.html

 

Should we worry about the PC applications that install their own versions of "libeay32.dll"?
I have 3 apps with 3 different versions...
powerdesk v 1.0.0c 2011-12-09 1,341KB
DWA-160 v 0.9.8g 2010-05-28 1,084KB
LibreOffice v 1.0.1e 2014-01-28 1,150KB
of which only two are important, the wireless adapter and LibreOffice.

D-Link has a FAQ link, but when clicked, nothing happens.
LibreOffice search just results in a "500 server error" page.
I don't use Powerdesk anymore and should uninstall it....

 

Tor network’s ranks of relay servers cut because of Heartbleed bug.

Note: The comments below the article are recommended to read.

-- Tom

 

LibreOffice was recently updated to 4.2.3:

• This release is not bit-identical to 4.2.3 Release Candidate 3 - it includes ad [sic] additional fix for CVE-2014-0160 ("heartbleed")

 

Testing for "reverse" Heartbleed.

-- Tom