Heartbleed attack on Openssl

[Pete Stephenson]

On Apr 10, 2014 12:22 AM, "Felipe Vieira" <fmv1992 at gmail.com> wrote:
>
> So going back to the original question as I can see there is no
disagreement on its importance:
> 1) What are the consequences to the ordinary user?
> All the news are lacking information on that. Can you point relevant
examples?

Any service using a vulnerable version of OpenSSL in the last two years
could have been silently attacked, with the attackers being able to gain
access to information stored in the servers memory.

The attacker might get memory containing empty sections, boring system
files, secret cryptographic keys (the compromise of which could, in some
cases, lead to user data being decrypted or a MITM being possible with no
warnings), user data, etc.

Its not clear of any bad guys knew about the bug prior to the announcement.
If they didn't and one patched any affected servers as soon as possible,
then the effects would be quite minimal. If they did know and exploited
things, or if one has not yet patched vulnerable systems, things could be
very bad.

In short: the consequences could be dire but there is no way of knowing for
certain what, if any, things have been compromised. Its probably best to
assume the worst.

> All I could gather is that the only major/well known server to be
compromised was Yahoo.

Yahoo fixed the issue shortly after the public announcement of the bug. It
is not clear of bad guys were able to compromise their systems before it
was fixed, but researchers were able to successfully probe various systems
at Yahoo prior to the fix, so one should assume bad guys could do the same.

> For example: Gmail and Dropbox and Hotmail seem to be imune to this. I
also found out that Mozilla/Firefox browser were also imune. If I would
persuade someone of this bug's importance, which other examples could I
give?

No service using an affected version of OpenSSL is immune. Some (like
Cloudflare) received advanced notice and patched their systems before the
public announcement, while others may have used other SSL libraries or
versions of OpenSSL that were not vulnerable.

> 2) (specific question) Does Firefox use openssl to connect to some
servers while browsing?

No. Firefox is immune because it uses the NSS Crypto library.

The issue typically exists on and affects servers. A server using an
affected version of OpenSSL is vulnerable regardless of what browser
clients use.

> 3) How about Ubuntu and other OSs? Do they use openssl to update
themselves? (as in "apt-get update && apt-get upgrade").

Ubuntu and Debian use GnuPG to sign packages but updates typically take
place over unencrypted connections. The update mechanism is not affected by
this bug.

Cheers!
-Pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140410/990fea3c/attachment.html>