Amazon carefully stitches up Heartbleed OpenSSL hole Amazon is working to patch "Heartbleed" memory-leak vulnerablities in its Amazon Web Services hosting infrastructure. The mammoth cloud company confirmed on Tuesday that it has dealt with some of the parts of its infrastructure that were vulnerable to the nasty OpenSSL 1.0.1 bug nicknamed "Heartbleed" that was disclosed on …
>>but it only affects the client if you connect to a compromised server.
Not exactly, and you may not even be able to detect if a server had been "compromised" - say for example the private keys had been copied off, it probably hasn't left any footprint.
Also, if someone had captured the traffic between a client and a server and then retrieves the private key the entire conversation is open to subsequent disclosure (which would probably include authentication details).
If you have a network capture then get the keys you have the content, if you get the keys then have access to (or create/redirect to) a transparent proxy (which is far easier than you may expect) then you have the content.
So, the safest option is to immediately shut down, reset all your authentication details, upgrade, generate new certificates, restart, note, don't make the same mistake as many and just generate new certificates from the old keys, generate new keys as well (i.e. don't use the same CSR).
The thing is with this one is that millions of servers could have been harvested for keys for months/years, with those keys they could have been snooping at the contents (such as passwords) for months/years, how often do you change your (supposedly secure) credentials? securing the sites won't change the fact they have your credentials - I'd suggest changing Amazon etc. passwords ASAP.
I'm just wondering, could the heartbleed bug, and it's discovery, be in any way related to the discovery of the windigo botnet?
http://www.theregister.co.uk/2014/03/18/windigo_unix_botnet/
This was a botnet of linux/unix servers, where hackers gained access to ssh credentials and installed nefarious versions of ssh... but how did the hackers get access???
Any thoughts anyone?
>>SSH != SSL
OpenSSH (which comes as standard with many vendor supplied OS's) uses part of OpenSSL (specifically libcrypto) however, OpenSSH doesn't use TLS for it's sessions (unlike HTTPS, which TLS is one option and within that TLS heartbeat is optional).
So while some versions of SSH can use bits of crypto from OpenSSL, the actual transport itself (the vulnerable bit) is pure OpenSSL TLS heartbeat.
Yahoo! users have the most to be concerned about because when they recently announced they were moving services over to HTTPS they also said they weren't going to use Perfect Forward Secrecy.
However the likes of Google and Twitter have already adopted the principle of PFS in their security policies. If perfect forward secrecy is used and an encryption key is revealed then that is as far as it goes. It doesn't expose all the previous encrypted traffic. However, without it - Yahoo! style - you only need to prise it open once and you get the key to the kingdom.
More info on the Google/Twitter announcements at www.forwardsecrecy.com
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
