Solved

HeartBleed bug

Posted on 2014-04-11
5
399 Views
Last Modified: 2014-04-13
I am a noice, and I know the Heatbleed is basically a memory leak taht exposes pw, content, potentially crypto keys....

but in laymans terms, what are the issues moving forward

what will occur as far as fixes (or attacks) in the near future, and how will that affect us
0
Comment
Question by:Anthony Lucia
5 Comments
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 100 total points
ID: 39995330
Heartbleed only affects a limited number of versions of OpenSSL.  However it has been present for two years.  Here http://heartbleed.com/ is the official site and information.  Many sites have already been fixed but recommend you change your passwords on those sites in case they were revealed in the previous two year.  Note that any particular system can have several copies and versions of OpenSSL in different programs.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 39995387
As sites are fixed (after sites are fixed, in other words) you should change your password there (changing passwords is a good idea periodically anyhow)

In order to know if a site HAS been fixed, then one of the two plugins for Firefox or Chrome is a good idea, or look out for a statement from the site owner (or both :)

if you own a site, consider replacing the secret key/certificate after ensuring the ssl module was upgraded; this may not be needed in all cases (for instance, a code review of nginx has shown it does not store the secret key in memory near where the heartbleed bug could "reveal" it) but again, may be good policy (and will make your users feel better).

A clearer understanding can be gained of the bug by looking at the very useful infographic over on xkcd:

http://xkcd.com/1354/

and above all, don't panic! while this bug has been around for two years now, the conditions for exploiting it are relatively narrow and the risk, while real, of any specific set of credentials being revealed is actually quite low.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 100 total points
ID: 39996049
Agreed, and it does not affect IIS installations at all:
http://blogs.technet.com/b/erezs_iis_blog/archive/2014/04/09/information-about-heartbleed-and-iis.aspx
You can run windows + apache + ssl however, so not all windows web servers are unaffected, but IIS ones are not affected.
-rich
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 200 total points
ID: 39996128
Apache also has a choice of module - mod_ssl uses openssl (so needs updating) but mod_gnutls uses gnutls (which had its own issue a few weeks back, but isn't affected by heartbleed)

apache tomcat (the serverside java engine from the same project) also does not use openssl.

nginx does (so needs patching) [deleted] (may need users to change credentials after patching)

UPDATE - nginx has been proven vulnerable to secret key disclosure for a window after a reboot, so keys on that platform should be considered compromised and replaced.

ouch.
0
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 100 total points
ID: 39997397
Updating your SSL components should help.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now