Re: Heartbleed (was ... Re: My fellow (Debian) Linux users ...)
On Tue, 15 Apr 2014 07:00:03 +0200
shawn wilson <email@example.com> wrote:
> >> On Apr 14, 2014 11:01 AM, "Chris Bannister" <firstname.lastname@example.org>
> >> > On Mon, Apr 14, 2014 at 01:55:04AM -0500, Stan Hoeppner wrote:
> >> > I read https://www.schneier.com/blog/archives/2014/04/heartbleed.html
Here's the article from Bruce's CRYPT-GRAM from April 15, 2014:
Heartbleed is a catastrophic bug in OpenSSL:
"The Heartbleed bug allows anyone on the Internet to read the
memory of the systems protected by the vulnerable versions of
the OpenSSL software. This compromises the secret keys used to
identify the service providers and to encrypt the traffic, the
names and passwords of the users and the actual content. This
allows attackers to eavesdrop communications, steal data
directly from the services and users and to impersonate
services and users.
Basically, an attacker can grab 64K of memory from a server. The attack
leaves no trace, and can be done multiple times to grab a different
random 64K of memory. This means that anything in memory -- SSL private
keys, user keys, anything -- is vulnerable. And you have to assume that
it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
The bug has been patched. After you patch your systems, you have to get
a new public/private key pair, update your SSL certificate, and then
change every password that could potentially be affected.
At this point, the probability is close to one that every target has had
its private keys extracted by multiple intelligence agencies. The real
question is whether or not someone deliberately inserted this bug into
OpenSSL, and has had two years of unfettered access to everything. My
guess is accident, but I have no proof.
More about Heartbleed on my blog: