from the bigger-problem-than-first-thought dept.
From Testing for reverse Heartbleed courtesy of Schneier's blog:
"Anything that speaks TLS using OpenSSL is potentially vulnerable, but there are two main classes of client apps that are worth mentioning:
- Traditional clients are things like web browsers, apps that use HTTP APIs [snip]
- Open agents are clients that can be driven by an attacker but don't reside on an attacker's machine. If you can direct some remote application to fetch a URL on your behalf, then you could theoretically attack that application. The web is full of applications that accept URLs and do something with them; any of these have the potential to be vulnerable [snip]"
The main conclusion so far is that one has to purge all flawed versions of OpenSSL from all computers: server or client makes no real difference, firewalls make no real difference either as the bug now works both inbound and outbound.
There is also a Reverse Heartbleed Tester.
Related Stories
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
(Score: 5, Interesting) by Angry Jesus on Friday April 18 2014, @10:17PM
Perhaps there is a silver lining here. How many DRM-locked systems are vulnerable to this? Xbox? PS4? Roku (or other netflix players)? Can this attack be used to compromise the secret keys on these systems?
(Score: 0) by Anonymous Coward on Friday April 18 2014, @10:31PM
You sir, win +1 internets!
(Score: 2) by Lagg on Friday April 18 2014, @10:46PM
I get quite tired of this captain obvious milking of heartbleed. But posts like yours is why I can tolerate it a little longer because that's a damn good point and I hope others are exploring the same thing. It's about time these glorified locked down set top boxes get cracked and this would be a good avenue for it. Hopefully people cut off their systems from the WAN so that they don't get any updates and can work with it.
http://lagg.me [lagg.me] 🗿
(Score: 4, Insightful) by tathra on Friday April 18 2014, @11:03PM
they also need to be extremely careful with new games and movies. after sony stripped the ps3 of OtherOS, they forced updates on un-updated machines through new games and movies; you could not play games or watch dvds released after they forcibly removed that functionality without "updating".
(Score: 2) by Lagg on Saturday April 19 2014, @12:11AM
I almost forgot about that. Yet people still buy from this parasite of a company.
http://lagg.me [lagg.me] 🗿
(Score: 3, Insightful) by edIII on Saturday April 19 2014, @02:29AM
This is why Bluray sucked so badly that even my friends who always wanted the next shiny stopped buying Bluray.
They kept changing the encryption, and beyond all the expectations of how stupid they could be, broke existing hardware. I want to say it was one of the Spiderman's that drove somebody over the edge when I had to spend a fucking hour flashing the firmware of their $1000 Bluray player. Was the last Bluray they ever purchased and that was some time ago.
The answer to your update problem is simple. Pirate Everything , even if you bought it. My friends still enjoy Bluray quality from time to time, but that's all HD downloads from private torrent sites. Piracy simply has the highest quality product available.
I wouldn't buy a Sony product, but if the encryption was cracked and I could load up custom firmware on some of the consoles, I might change my mind. I would still buy it 2nd hand though and professionally done like some companies in Canada.
Alas, the entire idea is probably doomed to failure since this 64K leak is only present in OpenSSL. I don't know how many embedded devices use it. I'm willing to bet that a PS3 or PS4 doesn't have it, and older consoles probably don't have it either.
I would love to have a better explanation of just how that vulnerability will lead towards exploits on those systems.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Saturday April 19 2014, @05:50AM
Guy just found a silver lining to a mushroom cloud!
(Score: 1) by bill_mcgonigle on Monday April 21 2014, @12:38AM
At least on the known-vulnerable system I tried (CentOS 6 derivative with 5_4 package version).