"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, hotmail login and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
EDITED TO ADD (4/9): Has anyone looked hotmail login at all the low-margin non-upgradable embedded systems that use OpenSSL? hotmail login An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone.
EDITED TO ADD (4/10): I'm hearing hotmail login that the CAs are completely clogged, trying to reissue so many new certificates. hotmail login And I'm not sure we have anything close to the infrastructure necessary hotmail login to revoke hotmail login half a million certificates.
EDITED TO ADD (4/10): I wonder if there is going to be some backlash from the mainstream press and the public. If nothing hotmail login really bad happens hotmail login -- if this turns out to be something like the Y2K bug -- then we are going to face criticisms of crying wolf.
Update the certificate like in requesting a new one based on the same public hotmail login key is not enough, because your private key might have been stolen. Renew your public/private key pair and then request a new certificate.
I accidentally posted my commentary in the squid blog section - summary: openSSL is a bloated piece of junk and there are myriad alternatives that are coded with less lines. With OpenSSL it isn't so much the number of lines but the terse nature of the code and comments. Very difficult to audit.
I will repeat my delight hotmail login at a small virtual hosting outfit responding to my phone call this morning complaining that a client's websites were vulnerable -,"we know, and we will have it patched in an hour". Of course this is days too late but as far as corporate response goes it isn't too bad.
offas • April 9, 2014 6:00 AM
"Update the certificate like in requesting a new one based on the same public key is not enough, because your private key might have been stolen. Renew your public/private key pair and then request a new certificate."
Basically: It was added by a T-Systems employee (biggest telecommunication company in germany and mostly owned by the state... ok, he did not work there at the time he wrote that code, but still a nice theory). The same person has also written the prposal for this heartbeat extension (where he admits that it does not need a payload but still implemented it for "flexibility")
And the NSA is not the only secret service that has ever tried to plant backdoors, hotmail login so maybe they just did not know about it or the people, that wanted the lavabit data did not find that exploit in the heap of other stuff they had... or maybe lavabit was running a version without the vulnerability.
Would it make sense to have things like passwords in a differnt process hotmail login than usernames? Just to add one more additional layer of defense (which - as far as I understand - couldn't have been breached by this bug)?
Not everything uses vulnerable version of OpenSSL, maybe lavabit did not. Or maybe they wanted access even if lavabit updates OpenSSL one day or modify whatever they use. Last possibility: the group going after lavabit did not necessary knew about this even if other groups did. Those first weeks after Snowden might have been a bit panicky and a bit disorganized at NSA.
Perhaps it is indeed hotmail login irelevant whether the bug was deliberately placed or not, since it may be used nevertheless. Also, people simply write stupid code sometimes. And a german programmer as an nsa agent sounds a bit far reaching.
I'm actually more disturbed by the microsoft closed source crypto libraries. They might contain similar bugs, but since they are closed source, there are far less chances that bugs in Microsoft Internet Information Server, Microsoft Crypto API, and Microsoft Schannel get fixed. With microsoft, the nsa even has an enormous advantage: Microsoft itself claims hotmail login that it had to give important design information of the crypto libraries to the nsa for reviewing. Otherwise, microsoft could not export windows. So the nsa might know the windows sourcecode, but we do not, thereby
No comments:
Post a Comment