OpenSSL Security Advisory [07 Apr 2014] ========================================TLS heartbeat read overrun (CVE-2014-0160) ==========================================A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix.Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.1.0.2 will be fixed in 1.0.2-beta2.
Security Warning: Heartbleed bug affects most users
An extremely dangerous security vulnerability was released yesterday that affects most websites on the internet. The bug, named “heartbleed”, allows arbitrary data to be retrieved from many servers using “https” connections. The data may contain usernames/passwords/banking information or other sensitive data. The vulnerability has been reported to affect over 60% of websites online. As of my posting this blog post, mail.yahoo.com is still vulnerable, and many password storage websites (such as lastpass) may be insecure.
Furthermore, security researchers claim the vulnerability may work in reverse, allowing malicious servers to attack your home web browser. Luckily, common browsers such as Firefox, Chrome, and Android Browser seem to have sidestepped the vulnerability, but reports are still coming in. If a browser is vulnerable, a malicious website could obtain arbitrary information from your browser, including passwords, session keys, etc. This may also allow a 3rd party to steal your identity or perform transactions as you.
1. What can you do as a regular user to secure yourself best?
First, use your browser in a cookie-less (incognito, private-mode, etc) setting. This will prevent your browser from saving passwords, login information, etc. It is believed that websites will not be able to read data from any program besides your web browser [reference].
Secondly, avoid logging into insecure websites. Use this website to check if a website is still vulnerable to heartbleed: http://filippo.io/Heartbleed/ . If you log into a vulnerable website right now, your username and password are at risk. If the filippo.io website is down, you can test the vulnerability yourself using this python script [link].
Thirdly, *after* you confirm a website is not vulnerable, you may want to change your password on the website. The heartbleed vulnerability has affected all OpenSSL transmissions over the last two years. This means any data secured using https could be compromised if the attack was performed in the past two years.
2. What can you do as a server administrator?
If you do not use https, then you are not vulnerable. Of course, if you are not using https, then your http connections are already not encrypted.
First, upgrade your web server. Most repositories now have updated versions of the packages. Operating systems that may have a vulnerable version of OpenSSL include Debian Wheezy, Ubuntu 12.04.4 LTS, CentOS 6.5, Fedora 18, OpenBSD 5.3, FreeBSD 8.4, NetBSD 5.0.2 and OpenSUSE 12.2. Check your website using http://filippo.io/Heartbleed/ or the python script ssltest.py [link].
You should consider changing private keys. The heartbleed attack reveals up to 64kb of heap space at a time. Due to the fact that modern kernel memory allocation is not necessarily linear (see mmap), the private keys stored in memory may have been leaked in the past two years. If you do not change keys, there is a small chance that a malicious party could decrypt all SSL encrypted data even after you have upgraded OpenSSL.
Failure to update private keys could result in a man in the middle (MITM) attack any time in the future. Luckily, these attacks are difficult to perform, as the attacker needs to intercept messages between the client and server computers in real time. Malicious parties could use DNS poisoning to redirect client traffic to your computer; they could intercept data at the client computers internet connection; they could intercept data at an ISP level; finally, the heartbleed bug makes it possible for pervasive surveillance to monitor https connections. The latter is typically only the capability of nation states.
—-
As for us. KTByte cares a lot about security. We do not store credit card information on our web servers. We have patched our server, and we continue to require https connections for user login, registration, and payment redirects.
—-
Read more about the vulnerability here: http://heartbleed.com/ . Finally, this is the original advisory: