Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 412
  • Last Modified:

HeartBleed bug

I am a noice, and I know the Heatbleed is basically a memory leak taht exposes pw, content, potentially crypto keys....

but in laymans terms, what are the issues moving forward

what will occur as far as fixes (or attacks) in the near future, and how will that affect us
0
Anthony Lucia
Asked:
Anthony Lucia
5 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
Heartbleed only affects a limited number of versions of OpenSSL.  However it has been present for two years.  Here http://heartbleed.com/ is the official site and information.  Many sites have already been fixed but recommend you change your passwords on those sites in case they were revealed in the previous two year.  Note that any particular system can have several copies and versions of OpenSSL in different programs.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
As sites are fixed (after sites are fixed, in other words) you should change your password there (changing passwords is a good idea periodically anyhow)

In order to know if a site HAS been fixed, then one of the two plugins for Firefox or Chrome is a good idea, or look out for a statement from the site owner (or both :)

if you own a site, consider replacing the secret key/certificate after ensuring the ssl module was upgraded; this may not be needed in all cases (for instance, a code review of nginx has shown it does not store the secret key in memory near where the heartbleed bug could "reveal" it) but again, may be good policy (and will make your users feel better).

A clearer understanding can be gained of the bug by looking at the very useful infographic over on xkcd:

http://xkcd.com/1354/

and above all, don't panic! while this bug has been around for two years now, the conditions for exploiting it are relatively narrow and the risk, while real, of any specific set of credentials being revealed is actually quite low.
0
 
Rich RumbleSecurity SamuraiCommented:
Agreed, and it does not affect IIS installations at all:
http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
You can run windows + apache + ssl however, so not all windows web servers are unaffected, but IIS ones are not affected.
-rich
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Apache also has a choice of module - mod_ssl uses openssl (so needs updating) but mod_gnutls uses gnutls (which had its own issue a few weeks back, but isn't affected by heartbleed)

apache tomcat (the serverside java engine from the same project) also does not use openssl.

nginx does (so needs patching) [deleted] (may need users to change credentials after patching)

UPDATE - nginx has been proven vulnerable to secret key disclosure for a window after a reboot, so keys on that platform should be considered compromised and replaced.

ouch.
0
 
Tony GiangrecoCommented:
Updating your SSL components should help.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now