Solved

heartbleed

Posted on 2014-04-09
8
383 Views
Last Modified: 2014-04-10
so for this heartbleed problem with ssl - would it help protect you if you are using a vpn to connect to a ssl site that might be compromised?
0
Comment
Question by:JeffBeall
8 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 166 total points
ID: 39990284
if the site offers VPN that's great ,
but As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

https://www.openssl.org/news/secadv_20140407.txt
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 39990904
Best check if the site is affected: http://filippo.io/Heartbleed/

VPN protects you from getting sniffed, but does vpn really go from you computer to the server where it is decrypted? Or do you use vpn to an endpoint at some different location?

I doubt there are vpn solutions that terminate at a server that is also hosting a website you want to access, in that way one has to use independent vpn solutions for all affected hosts one needs to use.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39991188
if your VPN is not based on the same SSL library, it should help. but anyway, exploiting this vulnerability to hijack somebody else's session on a website requires to be actually able to sniff the corresponding traffic in the first place. why do you think you are concerned ? are we talking about https or something else ?
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 27

Expert Comment

by:Tolomir
ID: 39991254
The heatbeat is only active starting with TLS 1.1. I doubt that is an issue with VPN itself.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39991408
why ? all openssl-based vpns in the world use other ssl versions ?

i hardly believe heartbleed is an issue at all for anybody here, but then i guess i'm not the one to decide who is concerned

btw, you can disable heartbeat at compile time
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 167 total points
ID: 39991763
ok, right. If you use a vpn solution that relies on openvpn (client server) you should consider to change the server ssl certificate if the server uses openssl version:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

But the original question was if a user uses vpn to connect to a server is he safe from sniffing his connection data and I say, as long as there a man in the middle attack is possible a vpn connection will not help you here.

Of cause if you use openvpn (using openssl with a version see above) even your vpn connection can be compromised as long as openssl was compiled with the heartbeat extension.

All details here: http://heartbleed.com (cool an own website for a bug, not bad...)

Tolomir
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 167 total points
ID: 39992800
If you tunnel an ssl or other connection over a vpn that does not suffer the same security issue, mim attacks are impossible. If you do achieving such a mim attack inside asecond one is hardy feasible
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 39993209
thank you.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question