SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Member mamahadija's Avatar
    Join Date
    Apr 2014
    Location
    South Africa
    Posts
    13
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    How do we protect ourselves against heartbeat vulnerability

    there has been much news about heartbeat vulnerability in open ssl
    how do web designers like me protect our client websites from this security gap

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,227
    Mentioned
    194 Post(s)
    Tagged
    2 Thread(s)
    Hi @mamahadija ; welcome to the forums.

    I'm confused. As a designer do you think it's your responsibilty to protect your clients from security threats?

  3. #3
    SitePoint Member mamahadija's Avatar
    Join Date
    Apr 2014
    Location
    South Africa
    Posts
    13
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    so can u tell your client that if they ask you what this heartbeat means to the security of their website
    the overal responsibility of managing a site for a client if you are a freelancer rests with the designer/developer
    so i think this is an issue we should look into

  4. #4
    SitePoint Addict bronze trophy WolfShade's Avatar
    Join Date
    Mar 2014
    Location
    St. Louis, MO, USA
    Posts
    323
    Mentioned
    9 Post(s)
    Tagged
    0 Thread(s)
    While it is true that the developer does have to keep certain things in mind regarding security (like using parameterized queries, and the like), the OpenSSL "HeartBleed" issue is an encryption certification issue, fixed by the SA recompiling the kernel with the patched OpenSSL in place.

    What does this mean for users?

    It means that any website you've been to in the last two years that is running the unpatched version of OpenSSL for encryption is a possible information leak to hackers who know how to exploit it.

    I'm sure there are instructions, somewhere, that can teach the user how to tell if they are on a site that uses OpenSSL, I just haven't read them. Otherwise, I'd paste the instructions here.

    ^_^

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Heartbleed means:

    1. Any openSSL security certificate used in the past two years while encrypting the data sent from the client to the server and back has had a back door available to allow that data to be decrypted and read just as if it were not encrypted in the first place.

    2. Far more importantly those certificates can be modified and reused on other sites so that even if the data stays encrypted, the server at the other end is not necessarily the one you think it is.



    To fix this the sites with these certificates need to:

    1. Replace the affected certificate with a new one that has the security hole fixed.
    2. Cancel the old certificate to ensure that it cannot be misused.
    3. Force a password reset on all their users so that any passwords exposed by the bug are changed.

    Most sites affected are carrying out step 1 but only a few are currently doing step 2 and until they do all three steps in that order their site remains exposed.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,095
    Mentioned
    153 Post(s)
    Tagged
    2 Thread(s)
    Quote Originally Posted by felgall View Post
    1. Any openSSL security certificate used in the past two years while encrypting the data sent from the client to the server and back has had a back door available to allow that data to be decrypted and read just as if it were not encrypted in the first place.
    It's not the certificates that are the problem, it's the OpenSSL software running on the server that's providing SSL access.

    So in your list you have to add a step 0: patch OpenSSL and rebuild Apache/NGiNX

    Once that's done, get a new certificate, revoke the old one, log out all users, and have them change their password

    If you only change your certificate you're still as vulnerable as you were before, but with a different certificate.

    Also see http://www.digitaltrends.com/computi...c-xkcd/#!EPssm
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  7. #7
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    It's not the certificates that are the problem, it's the OpenSSL software running on the server that's providing SSL access.
    Apparently the certificates are also a problem if they weregenerated using the version of open SSL with the security hole. plugging openSSL doesn't fix the security issues with the certificate.

    Quote Originally Posted by ScallioXTX View Post
    So in your list you have to add a step 0: patch OpenSSL and rebuild Apache/NGiNX
    Agreed. I forgot that step (I suppose I was assuming that all affected copies had been updated already) - there are actually four steps that ALL need to be carried out - not three.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •