Thread subject: Security Override :: SSL is no longer secure

Posted by jepeeps1 on 04/09/2014 10:19:11
#1

http://heartbleed.com/
http://www.businessinsider.com/heartbleed-bug-explainer-2014-4

Now hackers can get into bank databases and other files from different organisations pretending to be a heartbeat-package used by the openSSL connection. When disguised as the correct heartbeat-package, the hacker can get info sent from the databaseserver instead of the real computer from a client logging in, therefor receiving his/her credentials that can be later used in a hack.

The server appears to see no flaws because it thinks it sent the correct information to the correct PC.

Use it wisely ;-)

PS: appearantly it's been around for quite some time, but since the news is flaring up about it now, i'd thought i'd post it here too.

greetz, jep.

Posted by madf0x on 04/10/2014 09:23:27
#2

Slightly incorrect.

The vulnerability is a buffer over read, and winds up reading 64k bytes out of the process memory. This means you could leak out the encryption keys, significantly more valuable then mere credentials(oh but you can get those too!)

also no exploit code out yet. but theres been some clues as to where the vuln is, so its possible to devise an exploit by looking at the patch changes.

Posted by SAiF on 04/11/2014 12:04:03
#3

All our servers are already taken care off.

just do a yum update and restart services that use SSL and you are good to go.

older versions of SSL 0.9.X.X are not affected by this bug.