OpenSSL and the Heartbleed issue

[Aaron Hulett]

This is a major problem.

the SSL standard includes a heartbeat option, which allows a computer at one end of an SSL connection to send a short message to verify that the other computer is still online and get a response back. Researchers found that it's possible to send a cleverly formed, malicious heartbeat message that tricks the computer at the other end into divulging secret information. Specifically, a vulnerable computer can be tricked into transmitting the contents of the server's memory, known as RAM.

http://www.vox.com/2014/4/8/5593654/heartbleed-explainer-big-new-web-security-flaw-compromise-privacy

My understanding: 1) I send a specially crafted packet to a server that is using a vulnerable version of OpenSSL, 2) the server sends me a 64k chuck of in-memory data (OUCH!), 3) there's no log of this at the server, and 4) I can send infinite requests for whatever period of time to get a capture of everything in memory, including a) public and private key information for the cert (cert is now compromised - I can decrypt all traffic encrypted with the cert), b) usernames and passwords (my credentials are now compromised - I can now log in as various users), c) contents of emails, documents and other items I have open (my PII is compromised), and d) anything (I have no idea what information of mine or security information for the server is in memory).

Of course what's in memory depends on what's going on at the server, but because I cannot know what information was in memory at the time, I must assume anything related to my interactions with the server are compromised - at a minimum my username and password, at maximum my banking information, emails or whatever other personal information I was accessing at that server. And even if server A is okay, and server B is not, if server B reaches out to server A (such as, idunno, financial management website B reaching out to bank server A to get my current financial info) and I access that information via server B, my information at server A is now potentially compromised.

I wonder if any trusted root certificates are affected. If there are any, that is HUGE. If I have that private info, I can issue certs that will be trusted until the root cert is revoked (either because it was discovered that the trusted root info was in memory on a system affected here, or we see in-the-wild certs chaining to the trusted root cert that weren't properly issued by the root cert authority).

The fix here requires three steps. 1) Affected OpenSSL installs need to be updated to patched/unaffected versions, 2) involved certificates (whether the actual cert used to encrypt traffic or on-the-box certs that had private key information potentially in memory) must be revoked and reissued, and 3) authentication details (user credentials, etc.) need to be reset. Until 1 and 2 are addressed, no need to do 3 as it will be pointless.

Stand by for a massive wave of cert revocations and reissues - good that we have this mechanism in place, bad that it'll be such a wide scale event.

[Corrine]

Check sites here:  LastPass - LastPass Heartbleed checker.

Also, if you use LastPass, see The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed

[Corrine]

Added by a friend at another site:

Another checker:  https://github.com/musalbas/heartbleed-masstest/blob/master/top10000.txt

or head to filehippo and type in an url for a site here:  http://filippo.io/Heartbleed/

[JDBush61]

Saw this news via CNN satellite this morning and what surprised me was that it received only 15 seconds airtime ... then on to sports.
I though to myself "Hmmm, that sounds like a big problem. Whoever blinked, missed the report. Amazing."

Corrine, your filippo link reported that google.com was not affected, yet yahoo is compromised. Do I need to change my yahoo password now, or wait ?

[Aaron Hulett]

Short answer: go ahead and change it now.

Long answer: affected websites need to do two things. First, the OpenSSL installation needs to be updated so that the problem is fixed. Second, the SSL certificate that is used to secure the connection has to be reissued. In Yahoo's case, the web servers have been updated and the certificate reissued. You can check the website by using the link Corrine provided, and you can check the certificate by going to https://www.yahoo.com and then click the padlock in the address bar to view the certificate (it'll say Issued On / Valid From... - if it's 4/8/2014 or later it's a decent assumption that it's been reissued).

[JDBush61]

Thank you, Aaron. I took your advice and changed my password.

Best regards

[Basil]

I have heard about this bug, but it is only today I came across a couple of articles.

Heartbleed is a catastrophic bug that affects thousands of sites and services across the internet, but what is it, and what do you need to do about it to protect yourself from cybercriminals?

According to security researchers, around half a million sites worldwide are rendered insecure by the bug. "Catastrophic is the right word," commented Bruce Schneier, an independent security expert. "On the scale of 1 to 10, this is an 11."

Heartbleed bug: what do you actually need to do to stay secure? | Technology | theguardian.com

Heartbleed bug: Am I at risk and do I really have to change my password? - Gadgets & Tech - Life & Style - The Independent

[pastywhitegurl]

... In essence, the bug potentially exposed your username and password on sites like Facebook, Google, Pinterest, and more.

Whats the best wisdom on how to respond to this currently?

I found this article from CNET:
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/

this supposedly has a live updated listing of sites that have been patched.

Edit: sorry..  just found this topic now:
http://www.landzdown.com/web-news/openssl-and-the-heartbleed-issue/msg166001/#msg166001

[Corrine]

No problem.  I merged your post to the original topic. 

[Paddy]

Heartbleed bug creates confusion on internet

http://www.bbc.co.uk/news/technology-26971363

Paddy.. :undecided:

[Aaron Hulett]

I'll try to simplify:

Do you use the Internet and enter passwords anywhere? You need to change your password at the affected sites (at some magical point when you know it's fixed). You also need to change your passwords everywhere else because you probably used the same password(s) everywhere.

I've never had to change my passwords everywhere at once before (I doubt my passwords everywhere given how a bunch of my accounts interconnect with other accounts: Microsoft account integration with Facebook, for example). I'm getting a password management tool... as soon as I figure out what one I want to go with.

What a mess.

//A

[Corrine]

I use a different password everywhere but do NOT accept the offer at sites to use my Facebook or other account to register. 

Of interest:  Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerability.

Aaron, here's an option to add to the list of password management tools to consider:  F-Secure KEY | The personal assistant for all your login needs | F-Secure

[Aaron Hulett]

F-Secure KEY looks cool but doesn't have a Windows Phone app. I'm current checking out LastPass - looks promising.

[JDBush61]

F-Secure KEY looks cool but doesn't have a Windows Phone app. I'm current checking out LastPass - looks promising.

I've been a Norton 360 subscriber for years, yet have never (before now, that is) bothered to use the included Identity Safe password manager. Is it any good? ... and safe, in comparison to F-Secure and LastPass?

[Corrine]

Hopefully someone will know, John.  I've never used a Symantic product.  It is shown as being free and is another that doesn't support Windows Phone.  https://identitysafe.norton.com/features