Stories
Slash Boxes
Comments

SoylentNews is people

Heartbleed: Ain't Dead Yet

posted by martyb on Friday May 09 2014, @02:50PM   Printer-friendly
from the the-gift-that-keeps-on-giving dept.

Bytram writes:

Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.

What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?

Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?

(more after the break)

The Heartbleed bug "is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet." The bug affects not only computer servers, but also routers and even some Android phones, too. Even software like LibreOffice, WinSCP, and FileMaker have versions with the bug and need to be updated. The history, behavior, and impact of this bug are well-explained and summarized on Wikipedia. Therein is this recommendation:

Although patching software (the OpenSSL library and any statically linked binaries) fixes the bug, running software will continue to use its in-memory OpenSSL code with the bug until each application is shut down and restarted, so that the patched code can be loaded. Further, in order to regain privacy and secrecy, all private or secret data must be replaced, since it is not possible to know if they were compromised while the vulnerable code was in use:[68]

  • all possibly compromised private key-public key pairs must be regenerated,
  • all certificates linked to those possibly compromised key pairs need to be revoked and replaced, and
  • all passwords on the possibly compromised servers need to be changed.

SN's coverage of this vulnerability includes:

 
This discussion has been archived. No new comments can be posted.
Heartbleed: Ain't Dead Yet | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Insightful) by Zinho on Friday May 09 2014, @04:15PM

    by Zinho (759) on Friday May 09 2014, @04:15PM (#41294)

    Six years after the Conficker worm was first detected we still have ~1% of all Windows computers [microsoft.com] on the Internet still infected with it.

    Cleanup takes time, and (as stated by others) some system administrators have higher priorities than chasing down every reported exploit for their systems. These will be the same admins who don't apply patches to running systems because uptime is more important than staying on the bleeding edge - many of them even run Debian! Everyone's definition of "if it ain't broke" is just a little different...

    I will not be surprised if in several years' time there aren't still a hoard of servers out there still vulnerable, ranging from social media (nothing of value lost) to banking/medical (combination of apathy and incompetence).

    --
    "Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Total Score:   2