Solved

heartbleed

Posted on 2014-04-09
8
384 Views
Last Modified: 2014-04-10
so for this heartbleed problem with ssl - would it help protect you if you are using a vpn to connect to a ssl site that might be compromised?
0
Comment
Question by:JeffBeall
8 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 166 total points
ID: 39990284
if the site offers VPN that's great ,
but As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

https://www.openssl.org/news/secadv_20140407.txt
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 39990904
Best check if the site is affected: http://filippo.io/Heartbleed/

VPN protects you from getting sniffed, but does vpn really go from you computer to the server where it is decrypted? Or do you use vpn to an endpoint at some different location?

I doubt there are vpn solutions that terminate at a server that is also hosting a website you want to access, in that way one has to use independent vpn solutions for all affected hosts one needs to use.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39991188
if your VPN is not based on the same SSL library, it should help. but anyway, exploiting this vulnerability to hijack somebody else's session on a website requires to be actually able to sniff the corresponding traffic in the first place. why do you think you are concerned ? are we talking about https or something else ?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 27

Expert Comment

by:Tolomir
ID: 39991254
The heatbeat is only active starting with TLS 1.1. I doubt that is an issue with VPN itself.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39991408
why ? all openssl-based vpns in the world use other ssl versions ?

i hardly believe heartbleed is an issue at all for anybody here, but then i guess i'm not the one to decide who is concerned

btw, you can disable heartbeat at compile time
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 167 total points
ID: 39991763
ok, right. If you use a vpn solution that relies on openvpn (client server) you should consider to change the server ssl certificate if the server uses openssl version:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

But the original question was if a user uses vpn to connect to a server is he safe from sniffing his connection data and I say, as long as there a man in the middle attack is possible a vpn connection will not help you here.

Of cause if you use openvpn (using openssl with a version see above) even your vpn connection can be compromised as long as openssl was compiled with the heartbeat extension.

All details here: http://heartbleed.com (cool an own website for a bug, not bad...)

Tolomir
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 167 total points
ID: 39992800
If you tunnel an ssl or other connection over a vpn that does not suffer the same security issue, mim attacks are impossible. If you do achieving such a mim attack inside asecond one is hardy feasible
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 39993209
thank you.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question