OpenSSL "Heartbleed" Bug: Security hole can reveal client memory, breaking a huge chunk of encryptio
76 replies, posted
[QUOTE=supersnail11;44501639]Any information is information an attacker can get, and information a programmer might misuse (like writing every error to a logfile and never removing it - really easy to leak sensitive information that way). This might be a little overboard, but it's the idea behind it.[/QUOTE]
What? If an attacker can just read information on your system then your system is compromised. You're seriously trying to argue that logging is inherently bad? Do you have a source that people can just read data on your "secure" system?
[quote]
Sure, they should've cleared the memory, but [URL="https://en.wikipedia.org/wiki/Data_remanence"]data remanence[/URL] is a serious problem and making sure your sensitive data isn't accessible after it's needed is important. Do you have a source on whether it was for caching purposes or not?
[/quote]
Yeah and data rememance is countered by zeroing the data, as specified in what you just linked. They should zero any secure data before freeing it, before using it it if they really can't have other programs potentially reading it.
Also, no I don't have a source for the cache thing which is why I said I'm "pretty sure." Reallocating recently deallocated chunks of memory is making smart use of temporal locality.
[quote]
I think he meant obfuscating as in "attempting to make the code unreadable" instead of "accidentally making the code unreadable."
[/quote]
Who knows, I was reading the source code on github for both the bug and the fix and it's some what confusing. There are definitely better written programs out there.
You can read it youself, here: [URL]https://github.com/openssl/openssl/commit/731f431497f463f3a2a97236fe0187b11c44aead[/URL]
[quote]
Using malloc has different results depending on the platform, and you can't always trust the OS with it. It might allocate memory in a place that other applications can read, or you won't know where it allocated the memory (making it difficult to make sure you deleted it later). It might interfere with the calling application. Again, do you have a source on the lack of testing?[/quote]
Memory isolation is a high level OS abstraction. Other programs shouldn't be able to read or reallocate memory that you have allocated in accordance with the OS. malloc itself doesn't even guarantee memory isolation, that's totally up to the OS to implement.
[URL]http://pubs.opengroup.org/onlinepubs/9699919799/functions/malloc.html[/URL]
The source is from Theo de Raadt, linked earlier
[quote]OH, because SOME platforms have slow performance, it means even if you
build protective technology into malloc() and free(), it will be
ineffective. On ALL PLATFORMS, because that option is the default,
and Ted's tests show you can't turn it off because they haven't tested
without it in ages.
[/quote]
I don't use OpenSSL, am I safe?
[QUOTE=Crash155;44502168]I don't use OpenSSL, am I safe?[/QUOTE]
Not if you use services that use OpenSSL.
[QUOTE=LSK;44500888]Wow really? You should always be able and willing to cite your sources in an argument, if you aren't it's fair to assume your statements are bullshit. Tell that to a college professor and see what they have to say about it.
I'm not saying you're wrong about OpenSSL, I don't know because you haven't told us anything, but what I've bolded is completely absurd. The guy above me has the right idea. We just wanted to know what you were talking about you know?[/QUOTE]
I didn't have much time on my hands so I didn't compile a list. I'm not turning this into a professor, but if you simply put a few minutes into google you'd be able to do it yourself. But it's pretty much exposed now so w/e
steam is vulnerable.
[QUOTE=Covalency;44502427]steam is vulnerable.[/QUOTE]
It was already patched.
Is there a site we can use to check to see what site is affected?
[QUOTE=robotman5;44503042]Is there a site we can use to check to see what site is affected?[/QUOTE]
[url]http://filippo.io/Heartbleed/[/url]
[QUOTE=sloppy_joes;44502153]What? If an attacker can just read information on your system then your system is compromised. You're seriously trying to argue that logging is inherently bad? Do you have a source that people can just read data on your "secure" system?[/quote]
It's illogical to assume that an attacker might, at some point, gain access to your log files? I'm not trying to say that logging is inherently bad, but logging anything more than "something went wrong" in a place where security is of top importance can give the attacker an advantage (logging "something went wrong during authentication" can make it easier for an attacker to know which parts of their forged message are incorrect; "message out of sequence" makes it even easier). I'm not saying there shouldn't be the option in the library, but going with the "if you give them the choice, they'll choose wrong" philosophy, if you gave programmers the option to log everything, they'll log [i]everything[/i].
[quote]Memory isolation is a high level OS abstraction. Other programs shouldn't be able to read or reallocate memory that you have allocated in accordance with the OS. malloc itself doesn't even guarantee memory isolation, that's totally up to the OS to implement.[/quote]
In some cases, shared memory is automatically created if two processes load a shared library. There's also the risk of having your secrets get swapped out in memory (that is, put into the swap/page file), meaning you just wrote your secrets to disk, unencrypted. You can prevent this with operating system-specific calls, but malloc doesn't do this (obviously, the default behavior is to swap memory out). There are good reasons for writing your own allocator.
[QUOTE=Map in a box;44502425]I didn't have much time on my hands so I didn't compile a list. I'm not turning this into a professor, but if you simply put a few minutes into google you'd be able to do it yourself. But it's pretty much exposed now so w/e[/QUOTE]
I've put a few minutes into google and I don't have anything, why don't you put a few minutes in yourself and back up your arguments?
Just wondering, I've noticed a ton of sites missing the https: now I assume it is to do with this?
[QUOTE=Alex141;44503281]Just wondering, I've noticed a ton of sites missing the https: now I assume it is to do with this?[/QUOTE]
If you stop using TLS because of this, you've basically gone from "crippled security" to "no security at all." All they have to do is upgrade to 1.0.1g.
Actually never mind I'm being over cautious. SSL only runs on pages where it is required. Dopey me. I thought maybe Chrome had done something, or sites had just turned off SSL temporarily
[QUOTE=Alex141;44503281]Just wondering, I've noticed a ton of sites missing the https: now I assume it is to do with this?[/QUOTE]
Possibly, but its not exactly a good solution to the problem, if it could even be considered a solution. Now the web pages aren't secured at all.
[QUOTE=ShaunOfTheLive;44503060][URL]http://filippo.io/Heartbleed/[/URL][/QUOTE]
You should be aware of two things when using this site:
1) It could be an elaborate trap to get you to exploit servers to get data (doubt it)
2) It may be illegal for you to do it on a site that you do not own, this isn't like a version check or something it actively runs the exploit against the server you give it and lets you know if it returns anything.
I don't know about the rest of the world but in the UK I am 99% sure (but IANAL) that it would contravene the law (actual law: "he causes a computer to perform any function with intent to secure access to any program or data held in any computer").
[editline]10th April 2014[/editline]
[QUOTE=Alex141;44503281]Just wondering, I've noticed a ton of sites missing the https: now I assume it is to do with this?[/QUOTE]
It is possible, some sites may have removed OpenSSL till they patch it.
So what is the best course of action at the moment? Changes passwords or wait?
[QUOTE=Alex141;44503613]So what is the best course of action at the moment? Changes passwords or wait?[/QUOTE]
IMO the people suggesting you should change your passwords are wrong. Its also quite pointless if you change your password and the site hasn't updated yet.
Again IMO you should only change your password if you know something you use has been compromised by this (for example I wouldn't blame every single steam dev changing their password).
[QUOTE=Jsm;44503545]You should be aware of two things when using this site:
1) It could be an elaborate trap to get you to exploit servers to get data (doubt it)
2) It may be illegal for you to do it on a site that you do not own, this isn't like a version check or something it actively runs the exploit against the server you give it and lets you know if it returns anything.
I don't know about the rest of the world but in the UK I am 99% sure (but IANAL) that it would contravene the law (actual law: "he causes a computer to perform any function with intent to secure access to any program or data held in any computer").
[editline]10th April 2014[/editline]
It is possible, some sites may have removed OpenSSL till they patch it.[/QUOTE]
Well it's on github so I doubt its a trap. And it's not illegal, at least in the US.
What precautions should we be taking? while they fix this?
[QUOTE=Map in a box;44503760]Well it's on github so I doubt its a trap. And it's not illegal, at least in the US.[/QUOTE]
So you are telling me that in the US you can run exploits which retrieve data from a server nice and legally?
I don't think so.
[QUOTE=robotman5;44503787]What precautions should we be taking? while they fix this?[/QUOTE]
Unless you're a target, there is a very low chance that people will steal your password. Other than that, you can't do anything.
[QUOTE=supersnail11;44503797]Unless you're a target, there is a very low chance that people will steal your password. Other than that, you can't do anything.[/QUOTE]
But i could just stay off the internet for a few days? and come back and see if they fixed it by then? i just wanna play it safe at the moment.
Also guys the wikipedia page for Heartbleed has got a fucking porn picture on it...
[QUOTE=robotman5;44503811]But i could just stay off the internet for a few days? and come back and see if they fixed it by then? i just wanna play it safe at the moment.[/QUOTE]
Sure, you could, but you wouldn't really accomplish anything by doing that.
[QUOTE=supersnail11;44503816]Sure, you could, but you wouldn't really accomplish anything by doing that.[/QUOTE]
Well i will just stay on and watch to see if anything happens to my things.
[QUOTE=robotman5;44503811]But i could just stay off the internet for a few days? and come back and see if they fixed it by then? i just wanna play it safe at the moment.
Also guys the wikipedia page for Heartbleed has got a fucking porn picture on it...[/QUOTE]
Its been fixed, the patch has been out there since just before the announcement of it. I assume any major site that is likely to be targeted has been fixed already.
[QUOTE=Jsm;44503545]2) It may be illegal for you to do it on a site that you do not own, this isn't like a version check or something it actively runs the exploit against the server you give it and lets you know if it returns anything.
I don't know about the rest of the world but in the UK I am 99% sure (but IANAL) that it would contravene the law (actual law: "he causes a computer to perform any function with intent to secure access to any program or data held in any computer").[/QUOTE]
Interesting. I'm sure it is technically illegal, but I doubt any law enforcement would go after the users. The guy hosting the script could definitely be in trouble though. If they got a subpeona and brought users in to court, they'd have to prove "intent to secure access to any program or data held in any computer". By using the script, the user didn't get access to anything, except knowledge that an attack is possible. If the user never directly attempted to exploit the server after gaining that information, then it's hard to prove intent.
Oh, also, if it's illegal to use, then [URL="http://www.latimes.com/business/technology/la-fi-tn-heartbleed-test-check-safe-sites-20140409,0,2218732.story"]this LA Times writer[/URL] just incriminated himself.
[QUOTE=ShaunOfTheLive;44503899]Interesting. I'm sure it is technically illegal, but I doubt any law enforcement would go after the users. The guy hosting the script could definitely be in trouble though. If they got a subpeona and brought users in to court, they'd have to prove "intent to secure access to any program or data held in any computer". By using the script, the user didn't get access to anything, except knowledge that an attack is possible. If the user never directly attempted to exploit the server after gaining that information, then it's hard to prove intent.
Oh, also, if it's illegal to use, then [URL="http://www.latimes.com/business/technology/la-fi-tn-heartbleed-test-check-safe-sites-20140409,0,2218732.story"]this LA Times writer[/URL] just incriminated himself.[/QUOTE]
When I tested it on my site it showed me (some of) the contents of the memory it retrieved. You are right no, no one is ever going to go after the users of it, the main issue with this exploit is there is [B]no[/B] way at all to detect someone doing it to you.
But I think people should be aware that they may be doing something potentially illegal.
are tests like those necessary though? make sure to update, make sure it's the correct version, and reboot your server. should be good to go at that point
is there a list of the 'big' sites that were (or still are) vulnerable to this somewhere? like outlook, google, youtube, facebook, paypal, etc? i checked the OP and skimmed the whole thread and couldn't find anything like that.
[QUOTE=PsiSoldier;44504165]is there a list of the 'big' sites that were (or still are) vulnerable to this somewhere? like outlook, google, youtube, facebook, paypal, etc? i checked the OP and skimmed the whole thread and couldn't find anything like that.[/QUOTE]
pretty sure most big sites were warned about the exploit before it went public. I know that Yahoo wasn't warned, but they've updated their services already
[QUOTE=Jsm;44503795]So you are telling me that in the US you can run exploits which retrieve data from a server nice and legally?
I don't think so.[/QUOTE]
If it's without malicious intent, yes it's legal for educational purposes only.
Sorry, you need to Log In to post a reply to this thread.