OpenSSL’s New Vulnerability – Are Your SSL Keys Safe?

The Heartbleed Bug – has potentially compromised up to 66% of web servers.

TL;DR XKCD

Researchers at Google and a private security firm Codenomicon have a revealed a new vulnerability in the OpenSSL security used by Apache and nginx Web servers. These technologies are so popular, that this issue – dubbed the Heartbleed Bug – has potentially compromised up to 66% of web servers. Noting that these vulnerabilities have been gaping open for nearly two years, as of the 1.0.1g release of OpenSSL. This has left many websites vulnerable, with no way of knowing whether their private keys were compromised during this window.

The Heartbleed bug is not a man-in-the-middle attack. It exploit’s OpenSSL’s handling of TLS’s heartbeat, which is an encrypted portion of the connection. The reason it leaves no traces is not because it can’t be detected, but because it’s just not logged by OpenSSL. Theoretically it could be logged, though there may be too many false positives that diminish any usefulness logging would have.

Attackers apparently also have control (or at least influence) over what 64KB of memory they can capture, and can keep requesting more memory with each heartbeat (so the 64KB limit isn’t that limiting).

Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. -Codenomicon

Heartbeat can be disabled in OpenSSL, but only via a recompile – in which case you might as well apply the new patch anyways.

Sources:

http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160

http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

Leave a Reply

Your email address will not be published. Required fields are marked *