Solved

heartbleed

Posted on 2014-04-09
8
387 Views
Last Modified: 2014-04-10
so for this heartbleed problem with ssl - would it help protect you if you are using a vpn to connect to a ssl site that might be compromised?
0
Comment
Question by:JeffBeall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 166 total points
ID: 39990284
if the site offers VPN that's great ,
but As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

https://www.openssl.org/news/secadv_20140407.txt
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 39990904
Best check if the site is affected: http://filippo.io/Heartbleed/

VPN protects you from getting sniffed, but does vpn really go from you computer to the server where it is decrypted? Or do you use vpn to an endpoint at some different location?

I doubt there are vpn solutions that terminate at a server that is also hosting a website you want to access, in that way one has to use independent vpn solutions for all affected hosts one needs to use.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39991188
if your VPN is not based on the same SSL library, it should help. but anyway, exploiting this vulnerability to hijack somebody else's session on a website requires to be actually able to sniff the corresponding traffic in the first place. why do you think you are concerned ? are we talking about https or something else ?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 27

Expert Comment

by:Tolomir
ID: 39991254
The heatbeat is only active starting with TLS 1.1. I doubt that is an issue with VPN itself.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39991408
why ? all openssl-based vpns in the world use other ssl versions ?

i hardly believe heartbleed is an issue at all for anybody here, but then i guess i'm not the one to decide who is concerned

btw, you can disable heartbeat at compile time
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 167 total points
ID: 39991763
ok, right. If you use a vpn solution that relies on openvpn (client server) you should consider to change the server ssl certificate if the server uses openssl version:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

But the original question was if a user uses vpn to connect to a server is he safe from sniffing his connection data and I say, as long as there a man in the middle attack is possible a vpn connection will not help you here.

Of cause if you use openvpn (using openssl with a version see above) even your vpn connection can be compromised as long as openssl was compiled with the heartbeat extension.

All details here: http://heartbleed.com (cool an own website for a bug, not bad...)

Tolomir
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 167 total points
ID: 39992800
If you tunnel an ssl or other connection over a vpn that does not suffer the same security issue, mim attacks are impossible. If you do achieving such a mim attack inside asecond one is hardy feasible
0
 
LVL 1

Author Closing Comment

by:JeffBeall
ID: 39993209
thank you.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question