SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 28
  1. #1
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)

    Big vulnerability in openSSL discovered

    A vulnerability has surfaced in openSSL that allows the cryptographic keys to be stolen (and hence potentially any encrypted traffic including usernames and password, credit card info etc in transit)

    If you use https / an SSL certificate on your site, you are probably running openSSL.

    More info here:
    http://techcrunch.com/2014/04/07/mas...-the-internet/

    Useful tool here to check whether you have the vulnerable part of openSSL active:
    http://rehmann.co/projects/heartbeat

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,849
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    This should be listed on the front page of the forum. Anyone on a shared host should not have to worry as the hosting company will take care of it. Anyone on a VPS or dedicated server has some work to do.

    I could not determine for certain whether or not Apache and nginx (or whatever web server someone may be using) should be recompiled (if your web server has SSL support). Some sources say yes, it should be compiled using the updated, patched version of OpenSSL. Having recently learned to compile Apache on Linux, it seemed to me that Apache doesn't just call to OpenSSL, but that components of OpenSSL are compiled into Apache (possibly only mod_ssl.so). It may be the same for PHP as well. I am not sure at this time.

    To be on the safe side, it may be wise for anyone on a VPS or Dedicated server to update their system (especially OpenSSL), recompile Apache and PHP if they have SSL enabled, and reboot their system.

  3. #3
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Lots of the websites I visit have been issuing alerts to change passwords and such because of this. I wonder how long people have known about this ;X

  4. #4
    Keep Moving Forward gold trophysilver trophybronze trophy
    Shaun(OfTheDead)'s Avatar
    Join Date
    Nov 2005
    Location
    Trinidad
    Posts
    3,746
    Mentioned
    45 Post(s)
    Tagged
    0 Thread(s)
    Eep!

    Okay, time to investigate my server to be sure.

    I'm sure years from now we'll still be hearing about the fallout from this.
    Trying to fill the unforgiving minute
    with sixty seconds' worth of distance run.

    Update on Sitepoint's Migration to Discourse

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,868
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Patche View Post
    I wonder how long people have known about this ;X
    Apparently the problem was first identified over two years ago.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    The code submitted that created the vulnerability was 2 years ago, it's only been found now.

    Destroys the commonly held belief that open source is secure because it has more eyes on it.

    One of the other major issues is the fact openssl is used in a huge amount of hardware from home router modems to firewalls and many commercial internet appliances. Many of these that are not current generation will likely never get firmware updates.

    Other than recompiling apache and openssl, you also need to replace public and private keys and get new certificates that use the new keys.

  7. #7
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,317
    Mentioned
    462 Post(s)
    Tagged
    8 Thread(s)
    Troy Hunt is always a good source of info about this sort of thing: http://www.troyhunt.com/2014/04/ever...now-about.html

  8. #8
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,849
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by EastCoast View Post
    Destroys the commonly held belief that open source is secure because it has more eyes on it.
    I am only a beginner level C++ coder, yet I cannot help but be astounded by how many of these missing bounds check vulnerabilities have been discovered in all kinds of software over the years. From Windows to Linux to web browsers to Java to Flash to audio and video players and pretty much everything in between, if it was written in C or C++, there has probably been one of these bugs in it. This is an avoidable mistake. Most of the vulnerabilities that have resulted in mass virus propagations (Nimda, Code Red, and more) and many vulnerabilities resulting in mass data theft have been caused by missing bounds check vulnerabilities exploited by buffer overflows.

    All of this software is created by bright people who make stupid little mistakes. A few times I have downloaded open source code and took a quick look at it to be overwhelmed by the number of files contained in the project. Some of the files like a header file or something may contain as little as one line of code. Managing code that is scattered among hundreds of different files has to be difficult, isn't it? How else could one explain bright people making these missing bounds check mistakes?

    Is there not a way for C/C++ compilers to do bounds checking and error on compilation? I don't know much about it, but I do know there have been way too many of these vulnerabilities over the years, all of which are preventable. We will never have secure computing as long as these simple little mistakes are allowed to happen. There has to be a better way.

  9. #9
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    I am now being flooded by email messages, from the various services to which I subscribe, urging me to change my password and regenerate API keys.
    It strikes me, though, that I should wait to change my credentials until AFTER the vulnerability has been corrected. Regardless of what we do now, if there is still an opening in the protocol it still can be exploited.

    Secondly, I wonder about services like 1Password and LastPass. Are they vulnerable to attack? Thinking about myself, that could be more devastating than gaining access to my bank account!!
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  10. #10
    SitePoint Enthusiast shahnawazsadique's Avatar
    Join Date
    Apr 2014
    Location
    Raipur
    Posts
    28
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Are you guys changing your passwords ..actually I read several article on Mashable and other good resources so got little confuse.
    Quote Originally Posted by ParkinT View Post
    I am now being flooded by email messages, from the various services to which I subscribe, urging me to change my password and regenerate API keys.
    It strikes me, though, that I should wait to change my credentials until AFTER the vulnerability has been corrected. Regardless of what we do now, if there is still an opening in the protocol it still can be exploited.

    Secondly, I wonder about services like 1Password and LastPass. Are they vulnerable to attack? Thinking about myself, that could be more devastating than gaining access to my bank account!!

  11. #11
    Community Advisor silver trophy

    Join Date
    Nov 2006
    Location
    UK
    Posts
    2,559
    Mentioned
    40 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ParkinT View Post
    I am now being flooded by email messages, from the various services to which I subscribe, urging me to change my password and regenerate API keys.
    It strikes me, though, that I should wait to change my credentials until AFTER the vulnerability has been corrected. Regardless of what we do now, if there is still an opening in the protocol it still can be exploited.
    If the service provider has updated their server software and created new keys and certificates then it's safe to update, I'd presume no competent provider would request you to change details while they are still exposed to the vulnerability.

  12. #12
    Grüße aus'm Pott gold trophysilver trophybronze trophy
    Pullo's Avatar
    Join Date
    Jun 2007
    Location
    Germany
    Posts
    6,045
    Mentioned
    219 Post(s)
    Tagged
    12 Thread(s)
    Here's how it works:

    heartbleed_explanation.png

  13. #13
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Pullo View Post
    Here's how it works:

    heartbleed_explanation.png
    That's quite a good explanation xP.

  14. #14
    SitePoint Member Verum's Avatar
    Join Date
    Apr 2014
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What I fail to understand is how a system that is as prevalent and important as this could go for nearly two years with such a fundamental flaw. I would have imagined that an error of this magnitude would have been discovered/exploited long before this.

  15. #15
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Pullo View Post
    Here's how it works:

    heartbleed_explanation.png
    Quite a clear illustration of the typical [and age-old] "buffer overrun" exploit. I did not realize that was all there is to the Heartbleed exploit!
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  16. #16
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by ParkinT View Post
    Quite a clear illustration of the typical [and age-old] "buffer overrun" exploit. I did not realize that was all there is to the Heartbleed exploit!
    It's not just buffer overrun. From what I've read the creators of OpenSSL chose to implement their own memory pool which doesn't erase data from memory when it's no longer needed for performance reasons. So normally when you don't need a piece of memory anymore you overwrite it with all zeroes to prevent problems like this, but the OpenSSL creators explicitly chose not to do that. I wonder how they feel about that decision now...
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  17. #17
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by eastCoast
    Destroys the commonly held belief that open source is secure because it has more eyes on it.
    The GnuTLS bug that's been sitting around letting bogus certs through for 9 years before RedHat managed to notice it (because of an audit, not someone just randomly eyeballing the code) should have destroyed that first.

    Instead of a lack of constraints of data sent back, this one was two coders writing C functions-- one returning 0 for false and another returning -1 or something intending to mean "false". Whoops.

  18. #18
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,868
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by EastCoast View Post
    The code submitted that created the vulnerability was 2 years ago, it's only been found now.
    If it has only been found now then it isn't really a huge problem as it will be mostly fixed before anyone manages to exploit it.

    It is only a problem is someone actually found it at some point in the past two years and exploited it before it got patched.

    Presumably the patch was made available by the time that the public announcement was made.

    It only destroys the myth about open source being more secure if the fact that it is open source made it easier for someone to find and exploit this long before it was patched. That it is open source means that someone did find and patch it. Because the alternatives are not open source there is no way to tell which if any of those is able to be similarly exploited.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  19. #19
    #titanic {float:none} silver trophy
    molona's Avatar
    Join Date
    Feb 2005
    Location
    from Madrid to Heaven
    Posts
    8,264
    Mentioned
    246 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ParkinT View Post
    I am now being flooded by email messages, from the various services to which I subscribe, urging me to change my password and regenerate API keys.
    It strikes me, though, that I should wait to change my credentials until AFTER the vulnerability has been corrected. Regardless of what we do now, if there is still an opening in the protocol it still can be exploited.

    Secondly, I wonder about services like 1Password and LastPass. Are they vulnerable to attack? Thinking about myself, that could be more devastating than gaining access to my bank account!!
    You're right, you should change your password only after the website has been secured... else those passwords can be stolen again. 1Password and LastPass say that they're safe. Furthermore, they're doing great by telling anyone that they should use their services

    It is also good to notice that not every website that uses OpenSSL is vulnerable. Not all use this piece of code, it is not essential and not part of the core of OpenSSL. So it is good to confirm with the website administrator if you're in doubt.

    Quote Originally Posted by felgall
    It only destroys the myth about open source being more secure if the fact that it is open source made it easier for someone to find and exploit this long before it was patched. That it is open source means that someone did find and patch it. Because the alternatives are not open source there is no way to tell which if any of those is able to be similarly exploited.
    That's true. It is hard to say if propietary is better than open source or viceversa. The only thing is that there's something wrong with open source, someone will find it one day because anyone can view the code. With propietary code, it may look more secure because finding the error will be harder. That doesn't mean that someone patient enough will not find the error.

  20. #20
    SitePoint Wizard Stomme poes's Avatar
    Join Date
    Aug 2007
    Location
    Netherlands
    Posts
    10,283
    Mentioned
    51 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by felgall
    It is only a problem is someone actually found it at some point in the past two years and exploited it before it got patched.
    The NSA said they did, before they realised they were supposed to say they didn't.

    I found it was strange two independent places found this old bug within days of each other (the Google guy and the Finnish Crypto guys) while being 2 years old.

  21. #21
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,317
    Mentioned
    462 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by Stomme poes View Post
    I found it was strange two independent places found this old bug within days of each other ...
    It's well known that monkeys on different islands discover the same trick at the same time.

  22. #22
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by ralph.m View Post
    It's well known that monkeys on different islands discover the same trick at the same time.
    That is because the "Alien Space Bats" who control all things on earth decided to dispense that new knowledge at that time!!
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  23. #23
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,317
    Mentioned
    462 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by ParkinT View Post
    That is because the "Alien Space Bats" who control all things on earth decided to dispense that new knowledge at that time!!
    Ah, OK, that makes sense. I always wondered why it was so.

  24. #24
    #titanic {float:none} silver trophy
    molona's Avatar
    Join Date
    Feb 2005
    Location
    from Madrid to Heaven
    Posts
    8,264
    Mentioned
    246 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Ah, OK, that makes sense. I always wondered why it was so.
    Off Topic:

    See? we have just learned something new at the same time in two very different parts of the world... Does that mean that @ParkinT ; is a "Alien Space Bat" that wanted us to know this just right now? And for what purpose? Are his intentions evil? *runs and hides*

  25. #25
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,617
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Link to original description of heartbleed bug: http://heartbleed.com/

    Link to site checker for vulnerability: https://lastpass.com/heartbleed/

    Link to list of big-name sites affected: http://mashable.com/2014/04/09/heart...ites-affected/

    Link to original explanation comic: http://xkcd.com/1354/
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •