Solved

HeartBleed bug

Posted on 2014-04-11
5
401 Views
Last Modified: 2014-04-13
I am a noice, and I know the Heatbleed is basically a memory leak taht exposes pw, content, potentially crypto keys....

but in laymans terms, what are the issues moving forward

what will occur as far as fixes (or attacks) in the near future, and how will that affect us
0
Comment
Question by:Anthony Lucia
5 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39995330
Heartbleed only affects a limited number of versions of OpenSSL.  However it has been present for two years.  Here http://heartbleed.com/ is the official site and information.  Many sites have already been fixed but recommend you change your passwords on those sites in case they were revealed in the previous two year.  Note that any particular system can have several copies and versions of OpenSSL in different programs.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 39995387
As sites are fixed (after sites are fixed, in other words) you should change your password there (changing passwords is a good idea periodically anyhow)

In order to know if a site HAS been fixed, then one of the two plugins for Firefox or Chrome is a good idea, or look out for a statement from the site owner (or both :)

if you own a site, consider replacing the secret key/certificate after ensuring the ssl module was upgraded; this may not be needed in all cases (for instance, a code review of nginx has shown it does not store the secret key in memory near where the heartbleed bug could "reveal" it) but again, may be good policy (and will make your users feel better).

A clearer understanding can be gained of the bug by looking at the very useful infographic over on xkcd:

http://xkcd.com/1354/

and above all, don't panic! while this bug has been around for two years now, the conditions for exploiting it are relatively narrow and the risk, while real, of any specific set of credentials being revealed is actually quite low.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 39996049
Agreed, and it does not affect IIS installations at all:
http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
You can run windows + apache + ssl however, so not all windows web servers are unaffected, but IIS ones are not affected.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 39996128
Apache also has a choice of module - mod_ssl uses openssl (so needs updating) but mod_gnutls uses gnutls (which had its own issue a few weeks back, but isn't affected by heartbleed)

apache tomcat (the serverside java engine from the same project) also does not use openssl.

nginx does (so needs patching) [deleted] (may need users to change credentials after patching)

UPDATE - nginx has been proven vulnerable to secret key disclosure for a window after a reboot, so keys on that platform should be considered compromised and replaced.

ouch.
0
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 100 total points
ID: 39997397
Updating your SSL components should help.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question