Heartbleed: Serious OpenSSL zero day vulnerability revealed

Discussion in 'privacy technology' started by ronjor, Apr 7, 2014.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  3. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    Thanks, downloaded and installed.
    J
     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Heartbleed Highlights a Contradiction in the Web:
     
  7. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Can someone explain to me how apps would be affected by Heartbleed? It seems pointless, but I'm open to be proved wrong.
    edit
    I mean one of the reviews is
    "So far, so good... Even after reading the description I must admit that I still haven't a clue what 'heartbleed' is except that it's bad. But whatever it is this app does a fine job of protecting my device from it."

    It seems like these sort of apps muddy peoples idea of what Heartbleed is.
     
  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    https://zmap.io/heartbleed/certificates.html

    4790 Tapatalk.com (nginx) Certificate First Seen 2013-11-07
     
  10. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Alright, that makes a bit more sense then. I guess the part I wasn't getting was why some apps would use openssl to begin with.

    I still think though that it can give a false impression of users being "protected against Heartbleed". They don't make it clear that the apps could still connect to vulnerable servers that for whatever reason haven't patched yet. Client side, sure they'd be "protected" in that no one can send them a heartbleed request, but it doesn't protect whatever they're connecting to.

    Thousands reviews of people thinking heartbleed is a "virus" and "infects" apps, and that they're protected now that the app is installed.

    EDIT

    Alright, I installed the app, and after it's done scanning it shows a link to a page that has more information about Heartbleed: http://ksmobile.com/blog/2014-04-10/65.html

    That's a lot better. I was thinking it wasn't explaining to users the details in full, but it does try to.
     
    Last edited: Apr 20, 2014
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,215
    Heartbleed, listen to my heartbleed, oh-oh

    You'd better read this one, because it's the first time ever that I consider a security problem to be worth discussing for real. Hence, this serious and only somewhat humoristic article discussing the consequences and ramifications of the Heartbleed bug in the OpenSSL cryptographic library, including some down-to-earth pointers on remedy, workarounds and mitigations on both the server and client side. Plus the usual micro-dose of gentle trolling. Enjoy.

    http://www.dedoimedo.com/computers/heartbleed.html


    Cheers,
    Mrk
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
  14. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    632
    Location:
    In His Service
    Just found this from the Ixquick search engine people..

    Rest easy, Ixquick is secure from Heartbleed SSL threat

    Posted On 08 April 2014 11:46 PM

    "Heartbleed" is a security vulnerability in OpenSSL (Secure Socket Layer) encryption that permits eavesdropping on communications and access to sensitive data such as passwords. Heartbleed gives read access to the memory of the encryption functions of vulnerable servers, allowing attackers to steal the private keys used to encrypt data transmissions.

    Ixquick's vulnerability to this attack was limited, since we had implemented a more secure, upgraded form of SSL known as Perfect Forward Security (PFS) in July 2013. PFS is generally supported by most recent browser versions. Since PFS uses a different "per-session" encryption key for each data transfer, even if a site's private SSL key is compromised, past communications are protected from retroactive decryption.

    Security is a moving target, and we work hard to stay ahead of the curve. Immediately after the Heartbleed security advisory, Ixquick's encryption modules were updated and encryption certificates were changed.

    In independent evaluation, Ixquick outscores other search engines on encryption standards, earning an A+ rating. See Qualys' SSL Labs evaluation of Ixquick's encryption features here:
    https://www.ssllabs.com/ssltest/analyze.html?d=ixquick.com

    Related links:

    Ixquick/StartPage's PFS press release (July 2013): https://www.startpage.com/eng/press/pr-pfs.html

    "Heartbleed" bug undoes Web encryption, reveals Yahoo passwords
    http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords/
     
  15. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Lol, marketing language.
    Correctly: They were just as vulnerable to the attack as others, but if an attacker would have obtained the private keys, the consequences would have been less severe because of PFS.
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes, and attacker could still get passwords and all other useful data from memory.
     
  17. hogndog

    hogndog Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    632
    Location:
    In His Service
    The computers of today are capable of doing anything no matter what ideas we may have to protect our privacy they are ten steps ahead of us.. Read an article about Tor the other day that made it look like some toy you'd get out of a crackerjack box.. IMO life as we know/knew it is about to change..
     
  18. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    Free Scanning Tool Promises To Find Heartbleed On Any Device.

    Note: Download URL and Integrity Hashes located here.

    Note:
    -- Tom
     
  19. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    "OpenSSL code beyond repair, claims creator of “LibreSSL” fork"
    http://arstechnica.com/information-...eyond-repair-claims-creator-of-libressl-fork/
     
  20. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
  21. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Tried it on my ISP Port 443

    hb.png

    Not sure why i get that, maybe i'm doing it wrongly ?

    Tried it here too, same result ?

    107.170.53.243 443 "wilderssecurity.com" " Sending heartbeat request failed"
     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,059
    Location:
    Texas
  23. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,540
    Location:
    Triassic
    There are lots of different networks out there, e.g. Internet, Intranet, Extranet. Private, Closed and Open. It is apparent that the use of OPENSSL is not confined to Open Networks. There are private/closed networks (VPN and non-virtual) that also use OPENSSL.

    ISPs operate both open and closed networks and offer services on both, e.g. IPTV and an Intranet service is closed. I am not sure about the Extranet because it is primarily used to bring businesses and vendors together, so maybe they are mixed. If a hacker successfully exploits an open network or VPN (closed network), can they also make their way onto an Extranet from there?

    ISPs also operate a 'Private' non virtual network that their technicians use. They claim that the TV cable boxes are on this Private network.
    • A "closed network" can refer to a private network that can only be used by authenticated, authorized devices; outsider use is prohibited and enforced through cryptographic means.
    I assume therefore that there would be no urgency for ISPs to upgrade/update any device on their Private network even if it is vulnerable to the Heartbleed flaw. It seems to me that this would be a cost avoidance strategy that some might take.

    NB: Pl. correct me on Extranet if I am wrong with my assumption.
     
  24. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    If an Android Has a Heart, Does It Bleed?
    http://www.fireeye.com/blog/technical/2014/04/if-an-android-has-a-heart-does-it-bleed.html
     
  25. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.