• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Heartbleed SSL bug serious vulnerability impacting major services, being patched now

Status
Not open for further replies.
I

itxaka

Defeatist
So just in case you guys haven't heard of it, there is a new vulnerability of SSL out there which exposes random memory from the server, which could be your login data, private keys, etc..

It's being actively exploited right now. There are patches but some services are taking too long to to patch their servers, so the recommended action is to not login on anythng rigth now.

Some of the sites affected are yahoo.com, steamcommunity.com, redtube.com, hidemyass.com

You can read more about the vuln in here: http://heartbleed.com/

And no, neogaf is not affected.


Basically the thing is, you send up to 64Kb of data to a ssl server and tell him to echo it, and it will. But you can send 1b of data and tell the server that you actually sent 64Kb, so the server will send you back those 64Kb of data. And those 64Kb of data are from the server memory, and close to the SSL thread so...it will send private keys, logins and passwords, basically everything that just passed trough SSL.

If you keep on trying several times, you will get lot of info, especially on sites with lots of logins and such.


This is one of the big ones, available since 2012, not know until a couple of days ago, released into the wild with almost no one patched.
 
W

Windu

never heard about the cat, apparently
a big security vulnerability that isn't in windows. that is a first.
 
R

Relix

he's Virgin Tight™
Yeah. Just received a notification from Red Hat. Their servers are getting hammered and can't get the OpenSSL fix.
 
W

WalkMan

Banned
I'd suggest everyone using OpenSSL to get new certificates and generate new secret keys. There were a couple companies sitting on this vulnerability since it's been out since 2012.
 
P

PetriP-TNT

Member
skinnyrattler said:
You can store it in any cloud service
Click to expand...


5.png
 
I

itxaka

Defeatist
Relix said:
Yeah. Just received a notification from Red Hat. Their servers are getting hammered and can't get the OpenSSL fix.
Click to expand...

Yep. I saw it yesterday nigth and went to patch it but there was not a patch yet. Just skimmed over the page explaining it and called it a day.

Then I woke up this morning, sit with my coffe, start reading slowly and BOOOM suddenly I saw that it was really bad. Updated work servers on remote and got my ass to work.

I don't know what to do with our CA certificates :S, should change them all.
 
R

Relix

he's Virgin Tight™
itxaka said:
Yep. I saw it yesterday nigth and went to patch it but there was not a patch yet. Just skimmed over the page explaining it and called it a day.

Then I woke up this morning, sit with my coffe, start reading slowly and BOOOM suddenly I saw that it was really bad. Updated work servers on remote and got my ass to work.

I don't know what to do with our CA certificates :S, should change them all.
Click to expand...

Well just tested my web service...

Vulnerable.

FML. Red Hat getting hammered. Getting peer cert cannot be verified error.
 
Y

Yagharek

Member
epmode said:
Keepass uses a locally stored database. At worst, it's only vulnerable to someone with direct access to your computer.
Click to expand...

Fair point. That said, people steal computers (laptops) during break-ins. Not notepads. Probably a safer option, if a tedious one.
 
Z

zigg

Member
itxaka said:
I don't know what to do with our CA certificates :S, should change them all.
Click to expand...
Yes. You have no way of knowing if anyone was able to get your keys or not.

I'd also recommend that anyone who used credentials to log in via SSL over the last day be forced to change them.

The real outlier is if anyone had managed to capture your SSL traffic pre-disclosure, and you didn't have forward secrecy (a.k.a. PFS)—if they then got your key they could decrypt old sessions too.

This all sounds really shitty and alarmist, but the truth is that this is being actively scanned-for and exploited now. 😔
 
I

itxaka

Defeatist
zigg said:
Yes. You have no way of knowing if anyone was able to get your keys or not.

I'd also recommend that anyone who used credentials to log in via SSL over the last day be forced to change them.

The real outlier is if anyone had managed to capture your SSL traffic pre-disclosure, and you didn't have forward secrecy (a.k.a. PFS)—if they then got your key they could decrypt old sessions too.

This all sounds really shitty and alarmist, but the truth is that this is being actively scanned-for and exploited now. 😔
Click to expand...

I know, but what if our CA vendor has been compromised? There is no other way than wait for them to confirm or not, and regenerate THEIR keys before regenerating ours. This sucks.


Well just tested my web service...

Vulnerable.

FML. Red Hat getting hammered. Getting peer cert cannot be verified error.
Click to expand...

Download and make the new openssl and link the old libs to the compiled ones. That way you don't have to wait for Red Hat.

Had to do that with our chef-server. Stupid chef, why the hell would you embed libssl??!!
 
M

MikeHaggar

Member
man, i've logged into both my gmail and bank account this morning. i hope neither of those sites are impacted. the site that checks is getting hammered and won't even return a result for me :/
 
Z

zigg

Member
itxaka said:
I know, but what if our CA vendor has been compromised? There is no other way than wait for them to confirm or not, and regenerate THEIR keys before regenerating ours. This sucks.
Click to expand...
…yeah you do have a bit of a catch-22 there. The act of signing your certificate is safe, but your credentials for logging into the CA could be at risk if it's password-based.

That said, if you have two-factor you mitigate that somewhat, and I think that if your CA uses client certificates for authentication you should be safe. I can't think of a hole in that scenario. Someone please feel free to point out anything I've missed…
 
E

epmode

Member
Yagharek said:
Fair point. That said, people steal computers (laptops) during break-ins. Not notepads. Probably a safer option, if a tedious one.
Click to expand...

Even if this happens, It'll take literally years to break into my Keepass database. I have it set up to force the CPU through X computational cycles per login attempt. So it's only a 1 second delay for me but it makes password cracking virtually impossible.

You can even make it so the database requires a file on a USB stick before it will open. Keepass is great FYI.
 
H

Husker86

Member
epmode said:
Yikes. If anyone in this thread uses Lastpass, I'd suggest Keepass instead since a locally stored database can't be affected by something like this.
Click to expand...

2-step yo! I was worried at first, then I remembered I use Google Authenticator with LastPass.
 
G

Gentleman Jack

Member
OP title bothers me. This isn't SSL failing over and over again. Apple's bug was an implementation issue. The HeartBleed bug is an implementation issue. This is not an attack on SSL itself. 'SSL keeps on failing' implies there's something wrong with the protocol and shouldn't be trusted, which is foolish.
 
S

SoulClap

Member
mclem said:
How does that work if you work from multiple computers? Is there an allowance for that?
Click to expand...

I keep my databases synced via Dropbox. I also use a key file in addition to a master password. I have key file backed up on a couple external drives and copy them over as necessary.
 
I

itxaka

Defeatist
Gentleman Jack said:
OP title bothers me. This isn't SSL failing over and over again. Apple's bug was an implementation issue. The HeartBleed bug is an implementation issue. This is not an attack on SSL itself. 'SSL keeps on failing' implies there's something wrong with the protocol and shouldn't be trusted, which is foolish.
Click to expand...

A protocol is only as good as it's implementations are. And in the case of SSL, all those implementations are failing lately. Didn't mean anything else but that. Feel free to pm a mod so they can change it to something else like "Buy a sysadmin a beer day" ;D
 
Y

Yagharek

Member
epmode said:
Even if this happens, It'll take literally years to break into my Keepass database. I have it set up to force the CPU through X computational cycles per login attempt. So it's only a 1 second delay for me but it makes password cracking virtually impossible.

You can even make it so the database requires a file on a USB stick before it will open. Keepass is great FYI.
Click to expand...

Ok, thanks for the info (if it wasnt obvious this is new to me). Still, I think keepass and an analog backup would be worthwhile.
 
Status
Not open for further replies.

Similar threads

Tomorrow is the 15th anniversary of Mother 3's Japanese release.
20
3K
Velius replied
  • Locked
Cloudfare service used by 5.5 million sites may have leaked passwords and auth.tokens
2 3 4
191
34K
magawolaz replied
Heartbleed bug in OpenSSL is major security risk, patches rolling out now
2 3 4 5 6
263
70K
Data Elemental replied
PSA: Change your Steam password due to heartbleed bug
2
80
16K
cpp_is_king replied
SteamDB posts open letter to Valve about their security practices. Valve responds
13
5K
ryamkajr replied
Top Bottom