The Heartbleed bug
The Heartbleed bug
http://heartbleed.com/
The Heartbleed bug in the very popular OpenSSL crypto library allows an attacker to read memory of a server that uses OpenSSL's TLS or SSL implementation.
Web browsers are not affected because they don't use OpenSSL's TLS/SSL implementations. However, web servers often do, and the Heartbleed bug allows an attacker to get the private key of the server. If the attacker is able to listen to encrypted traffic between you and the server, he/she can decrypt it with the private key. Worse, if he/she has ever been able to listen to encrypted traffic, he/she can now decrypt it retroactively. In other words: this is one of the worst security bugs ever.
The Heartbleed bug in the very popular OpenSSL crypto library allows an attacker to read memory of a server that uses OpenSSL's TLS or SSL implementation.
Web browsers are not affected because they don't use OpenSSL's TLS/SSL implementations. However, web servers often do, and the Heartbleed bug allows an attacker to get the private key of the server. If the attacker is able to listen to encrypted traffic between you and the server, he/she can decrypt it with the private key. Worse, if he/she has ever been able to listen to encrypted traffic, he/she can now decrypt it retroactively. In other words: this is one of the worst security bugs ever.
My YouTube channel | Release date of my 13th playlist: August 24, 2020
Re: The Heartbleed bug
Quick note on scope...
- [url]http://heartbleed.com/[/url] author wrote:What versions of the OpenSSL are affected?
Status of different versions:
[*]OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
[*]OpenSSL 1.0.1g is NOT vulnerable
[*]OpenSSL 1.0.0 branch is NOT vulnerable
[*]OpenSSL 0.9.8 branch is NOT vulnerable
Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
- Misc related (YMMV):
Video @ http://vimeo.com/91425662 (from http://info.elastica.net/2014/04/openss ... erability/)
Manual testing recipe @ http://korovamilky.tumblr.com/post/8209 ... penssl-tls
Vulnerability testing tool @ http://rehmann.co/projects/heartbeat/
Re: The Heartbleed bug
A major problem is knowing who and what has been using one of the vulnerable versions of OpenSSL. Potentially everyone from your bank to your online password manager such as LastPass and everything from your ISP to your router to your computer to your television could be affected.
Whilst it would seem to be a good idea to change all your passwords immediately, that could well be pointless gesture until the problem has been corrected at both ends: that is the devices you use to login with and the things that you login to.
One small bit of good news in all this is that SkyNews reports that
Whilst it would seem to be a good idea to change all your passwords immediately, that could well be pointless gesture until the problem has been corrected at both ends: that is the devices you use to login with and the things that you login to.
One small bit of good news in all this is that SkyNews reports that
. I really wish that list were a lot longer!Google, Microsoft, Twitter, Facebook and Dropbox are understood to be unaffected
Re: The Heartbleed bug
I don't fully understand the implications of this security bug, but I checked all my apps for vulnerable libraries.
These is the resulting list:
Back4sure
HTTrack
KVIrc
PChat
POPPeeper
QupZilla
Trillian
xVideoServiceThief
LibreOffice
Out of all these only POPPeeper gives me the chills as I'm using it daily for checking multiple mail accounts. Should I be worried?
These is the resulting list:
Back4sure
HTTrack
KVIrc
PChat
POPPeeper
QupZilla
Trillian
xVideoServiceThief
LibreOffice
Out of all these only POPPeeper gives me the chills as I'm using it daily for checking multiple mail accounts. Should I be worried?
- Andrew Lee
- Posts: 3065
- Joined: Sat Feb 04, 2006 9:19 am
- Contact:
Re: The Heartbleed bug
I think it only affects certain web servers (apache, nginx) with HTTPS enabled. It does not affected web servers that do not have HTTPS enabled. It does not affected SSH. I think there is zero impact at the user app level.
To check if your favorite websites still have this bug, use:
https://lastpass.com/heartbleed/
Basically, the advice is to change your passwords for those websites that might be affected.
This tricky thing is some apps use HTTPS to access web APIs at the backend, and they may pass along sensitive information through the APIs. In such cases, it would be difficult to identify all those apps (especially mobile apps).
To check if your favorite websites still have this bug, use:
https://lastpass.com/heartbleed/
Basically, the advice is to change your passwords for those websites that might be affected.
This tricky thing is some apps use HTTPS to access web APIs at the backend, and they may pass along sensitive information through the APIs. In such cases, it would be difficult to identify all those apps (especially mobile apps).
Re: The Heartbleed bug
I understand it the only thing that's vulnerable to the Heartbleed bug is server software since the attack involves sniffing traffic to a server. I'll follow up on this but I think the only entry in our database that needs updating based on this vulnerability is XAMPP, which was just updated:joby wrote:I checked all my apps for vulnerable libraries. These is the resulting list...
http://www.softpedia.com/get/PORTABLE-S ... AMPP.shtmlWhat's New in This Release:
Updated OpenSSL to 1.0.1g
Updated Apache to 2.4.9
Updated PHP to 5.4.27
phpMyAdmin 4.1.12
Re: The Heartbleed bug
Client software is also vulnerable if it uses OpenSSL's TLS/SSL implementation. In that case the server can send a maliciously crafted heartbeat message to read memory of the client.webfork wrote: I understand it the only thing that's vulnerable to the Heartbleed bug is server software since the attack involves sniffing traffic to a server.
My YouTube channel | Release date of my 13th playlist: August 24, 2020
Re: The Heartbleed bug
Interesting. Well, here's adding to Joby's list. I don't have data on which of these have or have not been updated, just the presence of the OpenSSL library (libeay32.dll):SYSTEM wrote:Client software is also vulnerable if it uses OpenSSL's TLS/SSL implementation. In that case the server can send a maliciously crafted heartbeat message to read memory of the client.
- 7-PDF Maker
Actionaz
Calibre
Eagleget
LinkChecker
MSDOrganizer
Portable Cobian
PortableApps Launcher
VYM
WackGet
VideoServiceThief
Brosix
EssentialPIM
PicPick
PSPad
Rainlendar
ResophNotes
Sylpheed
Re: The Heartbleed bug
OpenBSD developers forked OpenSSL: http://www.bit-tech.net/news/bits/2014/04/23/libressl/1
My YouTube channel | Release date of my 13th playlist: August 24, 2020
Re: The Heartbleed bug
SYSTEM wrote:OpenBSD developers forked OpenSSL: http://www.bit-tech.net/news/bits/2014/04/23/libressl/1
- Thanks for the info, SYSTEM...
Quick lead off:The OpenBSD researchers have reached a conclusion: OpenSSL can't be trusted.
- LibreSSL Website: http://www.libressl.org/
- Origins of LibreSSL: http://www.tedunangst.com/flak/post/origins-of-libressl
- OpenSSL Valhalla Rampage: http://opensslrampage.org/
Re: The Heartbleed bug
In all the news about heartbleed, I was pleased to see this:
"Historically, RHEL (and by definition, CentOS) have been somewhat maligned for using older versions of many packages. You'll find that the kernels and many core service packages are usually a year behind current, though many have backported patches for security issues. This is why RHEL 6.4, released over a year ago in February 2013, shipped an OpenSSL version that was even a year older -- and not vulnerable to Heartbleed."
http://www.infoworld.com/d/data-center/ ... 0?page=0,1
Kudos to Redhat.
Also, for anyone that missed it, there's a plan to do two things I'm really in favor of: fund open source infrastructure projects and help projects everyone really relies on get plenty of attention (CII).
"Historically, RHEL (and by definition, CentOS) have been somewhat maligned for using older versions of many packages. You'll find that the kernels and many core service packages are usually a year behind current, though many have backported patches for security issues. This is why RHEL 6.4, released over a year ago in February 2013, shipped an OpenSSL version that was even a year older -- and not vulnerable to Heartbleed."
http://www.infoworld.com/d/data-center/ ... 0?page=0,1
Kudos to Redhat.
Also, for anyone that missed it, there's a plan to do two things I'm really in favor of: fund open source infrastructure projects and help projects everyone really relies on get plenty of attention (CII).
Re: The Heartbleed bug
Heartbleed Scanner
Dl @ http://download.crowdstrike.com/heartbl ... canner.zip
http://www.crowdstrike.com/blog/new-com ... index.htmleasily scan your Intranet SSL websites, OpenSSL VPNs, Secure FTP servers, Databases, Secure SMTP/POP/IMAP email servers, routers, printers, phones, and anything else that may have been compiled with OpenSSL 1.0.1-1.0.1f.
Dl @ http://download.crowdstrike.com/heartbl ... canner.zip