heartbleed

so for this heartbleed problem with ssl - would it help protect you if you are using a vpn to connect to a ssl site that might be compromised?
LVL 1
JeffBeallAsked:
Who is Participating?
 
skullnobrainsConnect With a Mentor Commented:
If you tunnel an ssl or other connection over a vpn that does not suffer the same security issue, mim attacks are impossible. If you do achieving such a mim attack inside asecond one is hardy feasible
0
 
Hassan BesherConnect With a Mentor Commented:
if the site offers VPN that's great ,
but As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

https://www.openssl.org/news/secadv_20140407.txt
0
 
TolomirAdministratorCommented:
Best check if the site is affected: http://filippo.io/Heartbleed/

VPN protects you from getting sniffed, but does vpn really go from you computer to the server where it is decrypted? Or do you use vpn to an endpoint at some different location?

I doubt there are vpn solutions that terminate at a server that is also hosting a website you want to access, in that way one has to use independent vpn solutions for all affected hosts one needs to use.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
skullnobrainsCommented:
if your VPN is not based on the same SSL library, it should help. but anyway, exploiting this vulnerability to hijack somebody else's session on a website requires to be actually able to sniff the corresponding traffic in the first place. why do you think you are concerned ? are we talking about https or something else ?
0
 
TolomirAdministratorCommented:
The heatbeat is only active starting with TLS 1.1. I doubt that is an issue with VPN itself.
0
 
skullnobrainsCommented:
why ? all openssl-based vpns in the world use other ssl versions ?

i hardly believe heartbleed is an issue at all for anybody here, but then i guess i'm not the one to decide who is concerned

btw, you can disable heartbeat at compile time
0
 
TolomirConnect With a Mentor AdministratorCommented:
ok, right. If you use a vpn solution that relies on openvpn (client server) you should consider to change the server ssl certificate if the server uses openssl version:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

But the original question was if a user uses vpn to connect to a server is he safe from sniffing his connection data and I say, as long as there a man in the middle attack is possible a vpn connection will not help you here.

Of cause if you use openvpn (using openssl with a version see above) even your vpn connection can be compromised as long as openssl was compiled with the heartbeat extension.

All details here: http://heartbleed.com (cool an own website for a bug, not bad...)

Tolomir
0
 
JeffBeallAuthor Commented:
thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.