Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: phranque
joined:Feb 28, 2004
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
All of this means that applying the OpenSSL patch is only the starting point on the multi-step path of Heartbleed recovery. Website operators should strongly consider replacing their X.509 certificates after applying the update and getting all users and administrators to change passwords as well. While it's possible that none of this data has been compromised, there's no way to rule it out, either.
It's probably premature for users to replace passwords across the board, but for sites they know have received the OpenSSL patch, it may be a good idea to change login credentials. People who are truly security conscious may want to change passwords a second time if they notice a patched site later updates its digital certificate....
It might not be a factor for anyone since it's not known if anyone but Google discovered it...
I note that several BSD projects are on the list.They are on the list because they use openssl for some things in the base. However, it only applies to the most recent new release in FreeBSD version 10 which not everyone has started using yet. Version 8 and 9 aren't affected as they use older versions of openssl that weren't affected. And if they installed their own version of openssl from ports, and kept it updated as most do, then they have already been unaffected by this problem long before today.
tar xzvf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g && sudo ./config && sudo make && sudo make install
ln -sf /usr/local/ssl/bin/openssl `which openssl`
If a site had the vulnerability but wasn't victim to a successful attack
And if they installed their own version of openssl from ports, and kept it updated as most do, then they have already been unaffected by this problem long before today.
The Heartbleed Challenge
Can you steal the keys from this server?
Has the challenge been solved yet? YES
So far, two people have independently solved the Heartbleed Challenge.
The first was submitted at 4:22:01PST by Fedor Indutny (@indutny). He sent at least 2.5 million requests over the span of the challenge, this was approximately 30% of all the requests we saw. The second was submitted at 5:12:19PST by Ilkka Mattila of NCSC-FI using around 100 thousand requests.
We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we canít be certain....
Secure Connection Failed
An error occurred during a connection to www.cloudflarechallenge.com.
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)...
The first project under consideration to recieve funds from the Initiative will be OpenSSL, which could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests. CII was formed as a response to the Heartbleed security crisis; however, the Initiativeís efforts will not be restricted to security-related issues.
More info on the new funding is here: [webmasterworld.com...]
The title of that thread, as currently worded, isn't quite correct, and it misses the bigger picture.
The funding isn't directly to OpenSSL... it's establishing the "Core Infrastructure Initiative" (aka CII), in response to Heartbleed, and first funding goes to OpenSSL. The implications of Heartbleed were huge, as they involved the infrastructure of infrastructure... (to coin a phrase if someone hasn't already). Many very smart people recognized how critical and fragile that infrastructure currently is, and that open source was necessarily part of the long term fix.
I'll post more on that when I see whether the title gets changed, but I don't want to have two parallel discussions on CII.
IMO, that title and description should be...
Tech's biggest names fund "Core Infrastructure Initiative"
Heartbleed the canary in the coal mine for critical web infrastructure