The heart of the Internet is bleeding today.

heartbleed

Let me rephrase from an earlier statement.  After checked a few articles, I do feel it is something quite serious to the Internet.  But there is no need to be panic, unless you own some websites that need high security and manage sensitive customer credentials, and use OpenSSL (specifically version 1.0.1 that was released in March 2012, and 1.0.2 beta release, including 1.0.1f and 1.0.2-beta1).

However, as Schneier suggested, everyone should be more careful these days.  Even take yourself off the grid for the rest of the week.  Canada Revenue Agency – CRA already did so although we are in tax season.  So think about this before you get to know what exactly happened on the Internet.  I will try to avoid doing online banking or financial transactions, and not try to log on those sites to change passwords.  Less expose will be better.

If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.

To help on learning the situation, here are a few links I checked since last night:

Here is description of CVE-2014-0160:  a missing bounds check in the handling of the TLS Heartbeat Extension (RFC 6520) can be used to reveal up to 64k of memory to a connected client or server.

I found the following layman’s explanation in an online forum:

You can ask an SSL server to let you know that it’s alive ("heartbeat") by sending it a message and asking it to repeat it back to you. You say: here’s my message – it’s X bytes long. The server stores your message in memory, and then responds with (starting location of your message + X) bytes of data.

The problem is that the server BELIEVES you when you tell it how long your message is. If you send it a 1-byte message, but tell it that your message is 65000 bytes long, it returns your byte plus the next 64999 bytes of WHATEVER was nearby in RAM.

The fix was, unsurprisingly, to CHECK the length of incoming heartbeat messages against their advertised length.

In general, Microsoft is not affected since they are not using OpenSSL.  But there is no official disclaimer on this, only a few words in the  places like this "http://social.technet.microsoft.com/Forums/en-US/93a24775-6f62-4690-8c86-3652b74c1b4f/openssl-vulnerability?forum=Forefrontedgegeneral"

Cisco has a public release on the issue – http://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20140409-heartbleed.html

Heartbleed has a website, to stop the bleeding I guess.  Also there is a online tool that may check the vulnerability of a website.  Here it is: http://filippo.io/Heartbleed/.  The fix is out as well: Open SSL 1.0.1g.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s