Heartbleed: HUGE security bug affecting "secure" sites

135

Comments

  • bigluke1970bigluke1970 Posts: 634
    Forum Member
    ✭✭
    I like this article from the BBC

    It gives you a list of whats been affected and what sites have not.

    http://www.bbc.co.uk/news/technology-26971363

    Yesterday I changed my Yahoo and Facebook passwords. I have contacted
    my Bank (Santander) who have told me that I don't need to change my Passcode for my online banking.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    Matt D wrote: »

    is key web services the same as all web services?

    they still issued their statement 3 days after everyone else.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    DotNetWill wrote: »
    The whole thing is being blown well out of portion and the main stream should feel ashamed for the scaremongering it has done.

    Yes it's a bad bug and yes there is poc code of people getting passwords but the actual chances of the of the private key being in the memory location copied or of YOUR password and username being there is fairly slim. It reads like it sends the whole memory back but it doesn't and even it did it would only be for OpenSSL so you would have to be logging as they sent the heartbeat.

    Also, if they got the private key they would still need to capture the whole session of packets you sent/received to the server to decrypt your information because SSL uses a session key. So the private key can only be used to decrypt the session keys.

    A lot of things have to line up for you to be affected by this. Bad but not the end of the world people are making out.

    it may well be that actually nothing comes of this. at all.

    but equally, it may be a disaster. something that is definitely going to be in or around the memory space run by openssl is the private key.
  • BeethovensPianoBeethovensPiano Posts: 11,689
    Forum Member
    ✭✭
    flagpole wrote: »
    is key web services the same as all web services?

    they still issued their statement 3 days after everyone else.

    oh my god

    lol

    :confused:
  • flagpoleflagpole Posts: 44,641
    Forum Member
    oh my god

    lol

    :confused:

    i'm afraid your point is lost on me?
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    flagpole wrote: »
    is key web services the same as all web services?

    they still issued their statement 3 days after everyone else.

    It's a very lawyer speak, isn't it. If they were not hit by it, it means they use older implementation.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    flagpole wrote: »
    it may well be that actually nothing comes of this. at all.

    but equally, it may be a disaster. something that is definitely going to be in or around the memory space run by openssl is the private key.

    It's like a lottery, from point of view of an individual chances that you "win" are slim, but somebody will. Provided somebody exploits this actively and extensively.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    IvanIV wrote: »
    It's like a lottery, from point of view of an individual chances that you "win" are slim, but somebody will. Provided somebody exploits this actively and extensively.

    I'm not sure the chances are that slim. i don't know how it would work in practically. but whilst you are only dumping 64k of memory, there is no limit to the amount of times you could do it...

    ...the question is how different the results would be each time you did it. but presumably say the private key would be easily identifiable by some kind of text string preceding it or in it.

    it seems plausible that you could just keep doing it until you, automatically, identified the thing that you were looking for.
  • call100call100 Posts: 7,264
    Forum Member
    Matt D wrote: »
    Many Yahoo passwords were apparently stolen on Tuesday...

    It was the most major site that was not already patched when the vulnerability was made public.



    Use of the vulnerability exploded when it went public, with quick and easy automated scripts being posted online allowing anyone to try it out on any site they wanted.

    True, but, Yahoo seem to have a habit of having stuff stolen, not withstanding Heartbleed..;-)
  • flagpoleflagpole Posts: 44,641
    Forum Member
    IvanIV wrote: »
    It's a very lawyer speak, isn't it. If they were not hit by it, it means they use older implementation.

    more than two years old at that. which is difficult to explain.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    flagpole wrote: »
    I'm not sure the chances are that slim. i don't know how it would work in practically. but whilst you are only dumping 64k of memory, there is no limit to the amount of times you could do it...

    ...the question is how different the results would be each time you did it. but presumably say the private key would be easily identifiable by some kind of text string preceding it or in it.

    it seems plausible that you could just keep doing it until you, automatically, identified the thing that you were looking for.

    It's raw memory blocks, you need to interpret the contents. I think it's not trivial, not everybody can make use of it, but yes, the probability is higher than in lottery :D
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately

    Some Dr guy in Germany. Both he and the code reviewer missed it. Ve haf vays!
  • alanwarwicalanwarwic Posts: 28,396
    Forum Member
    ✭✭✭
    I'm not sure how Apple came into the picture.
    As we know they do very few web services and its even more unlikely you use any of their 'non key' services.


    However, them throwing in the words 'we take security seriously' is open to question.
    How they managed to ignore that infamous user tracking database on every device is quite beyond me. The clue Apple, in that historic one was in the ever increasing database size !
    :eek:
  • flagpoleflagpole Posts: 44,641
    Forum Member
    IvanIV wrote: »
    Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately

    Some Dr guy in Germany. Both he and the code reviewer missed it. Ve haf vays!

    well he would say that wouldn't he.

    it's such a school boy error any hobbyist writing code for a personal website would anticipate and not make that mistake. it seems to me that if you are writing code for something that literally provides the security backbone to the internet you would be even more aware.

    but if i could ask him one question it would be what on earth led him to be committing to github at just before midnight on new year's eve.
  • psionicpsionic Posts: 20,188
    Forum Member
    ✭✭✭
    alanwarwic wrote: »
    I'm not sure how Apple came into the picture.
    As we know they do very few web services and its even more unlikely you use any of their 'non key' services
    They have a massive web service used by many millions of users called iCloud for a start. It incorporates everything from sync services, whole device backups, user photos and data storage, to an entire office suite that runs in a browser (similar to Microsoft's and Google's web apps).

    But it looks like they are using an older implementation of OpenSSL anyway.
    However, them throwing in the words 'we take security seriously' is open to question.
    How they managed to ignore that infamous user tracking database on every device is quite beyond me. The clue Apple, in that historic one was in the ever increasing database size !
    It's a standard canned response from any company. None are going to say they don't give a damn about security. The tracking database was only if the user opted in to send them diagnostics information. Loads of things have opt ins to send diagnostics back to the maker.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    alanwarwic wrote: »
    I'm not sure how Apple came into the picture.
    As we know they do very few web services and its even more unlikely you use any of their 'non key' services.


    However, them throwing in the words 'we take security seriously' is open to question.
    How they managed to ignore that infamous user tracking database on every device is quite beyond me. The clue Apple, in that historic one was in the ever increasing database size !
    :eek:

    it's not just web services. it's everything over the internet secured by ssl. iPhones for instance, all of them, are constantly contacting apple servers.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    flagpole wrote: »
    but if i could ask him one question it would be what on earth led him to be committing to github at just before midnight on new year's eve.

    Probably a New Year's resolution, "no more of this security holes crap" :D
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    flagpole wrote: »
    it's not just web services. it's everything over the internet secured by ssl. iPhones for instance, all of them, are constantly contacting apple servers.

    iTunes very likely uses secure connection with SSL to connect to servers, too.
  • alanwarwicalanwarwic Posts: 28,396
    Forum Member
    ✭✭✭
    flagpole wrote: »
    ....but if i could ask him one question it would be what on earth led him to be committing to github at just before midnight on new year's eve.
    Yep, it does hint of deadline incentive, though obviously it can enhance his student CV for 2011.

    BTW Apples web services are much 'user services'. I simply do not classify them as a web company like the Facebooks, Googles and Yahoos of this world.
    Apart from the dubious iTunes, what, if anything, has Apple brought to the web world? It is much tied in to the hardware, even if still web service

    Interestingly OS/X happened to deprecate OpenSSL in 2011 just before this bug introduction. Likely coincidence but were they forewarned?
    I doubt we will ever know, this one will stay as a conspiracy theory forever I bet.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    alanwarwic wrote: »
    BTW Apples web services are much 'user services'. I simply do not classify them as a web company like the Facebooks, Googles and Yahoos of this world.
    Apart from iTunes, what, if anything, has Apple brought to the web world? It is all tied in to the hardware.

    apple is a web service.

    you might not think of them that way. but literally every apple device sold connects to apple servers secured by ssl. backing up contact info, payments, collecting updates. if apple had fallen fowl to this a worst case scenario is complete control of every apple device on the planet.
  • alanwarwicalanwarwic Posts: 28,396
    Forum Member
    ✭✭✭
    flagpole wrote: »
    it's not just web services. it's everything over the internet secured by ssl. iPhones for instance, all of them, are constantly contacting apple servers.
    Yep, I corrected my wording. Its just that everything in that Apple net world does, and probably never will exist for the majority.
    The Siri Voice Cloud, IBeacon iAds, iTunes, Apple maps won't be coming our way any time soon.As said though, they likely deprecated OpenSSL for key services back in 2011 too.
  • flagpoleflagpole Posts: 44,641
    Forum Member
    alanwarwic wrote: »
    Yep, I corrected my wording. Its just that everything in that Apple net world does, and probably never will exist for the majority.
    The Siri Voice Cloud, IBeacon iAds, iTunes, Apple maps won't be coming our way any time soon.

    As said though, they likely deprecated OpenSSL for key services back in 2011 too.

    it's difficult to know what happened with openssl and apple. they certainly took it out of osx. but i don't know what they use for their backend. i suspect not osx.

    it would be funny if they were pretending to but that this exposed that they aren't.
  • IvanIVIvanIV Posts: 30,301
    Forum Member
    ✭✭✭
    Pity about it, with a help of Siri, somebody could have taken over the world :(
  • alanwarwicalanwarwic Posts: 28,396
    Forum Member
    ✭✭✭
    BTW the Telegraph list main sites patched etc.
    http://www.telegraph.co.uk/technology/internet-security/10756807/Heartbleed-bug-which-passwords-should-you-change.html

    Obviously Apple crafted their own brand of statement elsewhere so everyone gets to choose extra meanings in what they say.
  • alanwarwicalanwarwic Posts: 28,396
    Forum Member
    ✭✭✭
    A quick check hints Siri is/was using OpenSSL.

    Maybe Apple do not define Siri as a 'key service'.
    :rolleyes:
Sign In or Register to comment.