Solved

heartbleed

Posted on 2014-04-09
8
380 Views
Last Modified: 2014-04-10
so for this heartbleed problem with ssl - would it help protect you if you are using a vpn to connect to a ssl site that might be compromised?
0
Comment
Question by:JeffBeall
8 Comments
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 166 total points
Comment Utility
if the site offers VPN that's great ,
but As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

https://www.openssl.org/news/secadv_20140407.txt
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
Best check if the site is affected: http://filippo.io/Heartbleed/

VPN protects you from getting sniffed, but does vpn really go from you computer to the server where it is decrypted? Or do you use vpn to an endpoint at some different location?

I doubt there are vpn solutions that terminate at a server that is also hosting a website you want to access, in that way one has to use independent vpn solutions for all affected hosts one needs to use.
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
if your VPN is not based on the same SSL library, it should help. but anyway, exploiting this vulnerability to hijack somebody else's session on a website requires to be actually able to sniff the corresponding traffic in the first place. why do you think you are concerned ? are we talking about https or something else ?
0
 
LVL 27

Expert Comment

by:Tolomir
Comment Utility
The heatbeat is only active starting with TLS 1.1. I doubt that is an issue with VPN itself.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
why ? all openssl-based vpns in the world use other ssl versions ?

i hardly believe heartbleed is an issue at all for anybody here, but then i guess i'm not the one to decide who is concerned

btw, you can disable heartbeat at compile time
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 167 total points
Comment Utility
ok, right. If you use a vpn solution that relies on openvpn (client server) you should consider to change the server ssl certificate if the server uses openssl version:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable

But the original question was if a user uses vpn to connect to a server is he safe from sniffing his connection data and I say, as long as there a man in the middle attack is possible a vpn connection will not help you here.

Of cause if you use openvpn (using openssl with a version see above) even your vpn connection can be compromised as long as openssl was compiled with the heartbeat extension.

All details here: http://heartbleed.com (cool an own website for a bug, not bad...)

Tolomir
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 167 total points
Comment Utility
If you tunnel an ssl or other connection over a vpn that does not suffer the same security issue, mim attacks are impossible. If you do achieving such a mim attack inside asecond one is hardy feasible
0
 
LVL 1

Author Closing Comment

by:JeffBeall
Comment Utility
thank you.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now