[LINK] The Heartbleed Bug in OpenSSL

Martin Barry marty at supine.com
Thu Apr 10 04:30:08 AEST 2014


$quoted_author = "Rick Welykochy" ;
> 
> The Heartbleed Bug has been plaguing Apache and nginx web servers
> for a couple of years.

Actually, the bug was in OpenSSL so those web servers may just be the
highest profile, but not the only, software affected...

 
> The press has gone wild with announcements today. From what I have read
> there is no evidence that the bug has been exploited in the wild. But attacking
> communication system that have this bug leaves no trace in logs, i.e. attacks
> are undetectable.
 
It's trivial to exploit and undetectable without a network level packet capture.

Who or what was exploited is one of those "known unknowns" so everyone
should just follow the recommended course of actions:

- patch the software
- regenerate new keys
- create new certificates and revoke the old ones
- revoke existing access tokens, session cookies etc.etc
- trigger password resets

This may seem like overkill but it's realistically the only way to restore a
semblance of security and is not overly onerous given the alternative
possibilities.


> Detecting the bug on web services you use:
> 
> https://www.ssllabs.com/ssltest/analyze.html

The only issue I have with this is it only checks the *current* status of
the bug itself. It should also be checking the issue date of the certificate
and warning that if it was not generated recently with a new key *and* the
server was previously vulnerable then the server may still be at risk due to
any previously retrieved key material or access tokens.

cheers
Marty



More information about the Link mailing list