Chief Delphi

Chief Delphi (http://www.chiefdelphi.com/forums/index.php)
-   General Forum (http://www.chiefdelphi.com/forums/forumdisplay.php?f=16)
-   -   Heartbleed (http://www.chiefdelphi.com/forums/showthread.php?t=128699)

cadandcookies 10-04-2014 23:37
Heartbleed
 
In case you haven't heard, now is a really good time to go and change your passwords.

This article explains it better than I can-- maybe some of the network gurus around here have more details?

I didn't see a thread about it anywhere and figured it's probably relevant to a lot of the users here.

plnyyanks 10-04-2014 23:44
Re: Heartbleed
 
Quote:
Originally Posted by cadandcookies (Post 1372422)
maybe some of the network gurus around here have more details?
This specific exploit is actually not quite network related. It's more of a programming oversight (with huge implications). Basically, there's a part of the SSL protocol called the heartbeat, which allows for a connection to remain open over time - the client sends a little message to the server saying, "hey! don't kill my connection" and the server acknowledges it and sends some data back.

The way the protocol is defined, the client sends its packet of data and a number representing the size of that data as validation (something pretty common to do). However, openSSL doesn't check that the given size actually corresponds to the actual size of the payload - it just allocates a chuck of memory that sized and returns it. This means that if the user tells openSSL that the payload is bigger that it is, the server will actually dump a portion of its memory back (which can include things like private keys, passwords, etc.).

You can check the vulnerable code out here, and you can see it just does a memcpy and if you look at the surrounding code, those bounds aren't checked.
Quote:
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
Although the situation is different, the moral of the story remains the same...

cgmv123 11-04-2014 09:24
Re: Heartbleed
 

MCMechTech 11-04-2014 13:29
Re: Heartbleed
 
You will want to be sure your web server has been updated to address the vulnerability before you change your passwords. Otherwise you could make the problem worse by exposing both the old and new password to an attack.

cadandcookies 11-04-2014 14:15
Re: Heartbleed
 
Quote:
Originally Posted by MCMechTech (Post 1372588)
You will want to be sure your web server has been updated to address the vulnerability before you change your passwords. Otherwise you could make the problem worse by exposing both the old and new password to an attack.
We had a security expert come in to my AP Computer Science class who recommended changing all passwords now, and then again in 3-4 weeks. The rationale being that some will have fixed it ASAP, but some will only get around to it later (or something along those lines).

Lucario 11-04-2014 14:22
Re: Heartbleed
 
Quote:
Originally Posted by cadandcookies (Post 1372607)
We had a security expert come in to my AP Computer Science class who recommended changing all passwords now, and then again in 3-4 weeks. The rationale being that some will have fixed it ASAP, but some will only get around to it later (or something along those lines).
https://lastpass.com/heartbleed/ actually has a web tool to check if the server's been patched. You can use this to check to see if its time to change your password.

Also, if you're a web-admin, you'll want to check your own site's SSL if you're doing anything sensitive- both the patch and a re-key has to be applied for you to be protected.

rich2202 11-04-2014 14:37
Re: Heartbleed
 
Quote:
Originally Posted by plnyyanks (Post 1372425)
This specific exploit is actually not quite network related.

Now it is:

Quote:
Cisco and Juniper, two of the largest router and Internet equipment makers, said today that the vulnerability, which exposes encrypted data like passwords, is present in their routers, switches and firewalls.

http://www.komando.com/blog/247808/t...ery-very-worse

Lucario 11-04-2014 15:29
Re: Heartbleed
 
Quote:
Originally Posted by rich2202 (Post 1372613)
Now it is:
Yep. Also, in Heartbleed-vulnerable routers, since almost all routers also act as a web server, SSL connections between it and clients (such as router management clients) are vulnerable to MITM (Man-In-The-Middle) attacks and decryption.

Chris_Ely 11-04-2014 19:28
Re: Heartbleed
 
Anyone know if CD is affected? The tool that Alan linked to is inconclusive.
Quote:
Originally Posted by LastPass
Unable to get HTTP headers for www.chiefdelphi.com
Site: www.chiefdelphi.com
Server software: Not reported
Was vulnerable: Possibly (might use OpenSSL, but we can't tell)
SSL Certificate: Unable to extract SSL information for that host

Pat Fairbank 11-04-2014 20:22
Re: Heartbleed
 
Quote:
Originally Posted by luckof13 (Post 1372694)
Anyone know if CD is affected? The tool that Alan linked to is inconclusive.
Nope -- CD doesn't use SSL/HTTPS. Port 443 on chiefdelphi.com is blocked.

Joe Ross 11-04-2014 21:04
Quote:
Originally Posted by Pat Fairbank (Post 1372707)
Nope -- CD doesn't use SSL/HTTPS. Port 443 on chiefdelphi.com is blocked.

In other words, don't use an important password here.

alex.lew 11-04-2014 21:18
Re: Heartbleed
 
Quote:
Originally Posted by Joe Ross (Post 1372717)
In other words, don't use an important password here.
Is there any password that could be more important?


All times are GMT -5. The time now is 18:55.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Copyright © Chief Delphi