[Hidden-tech] What heatbleed (security breach) means to you

Rich Roth webmaster at hidden-tech.net
Thu Apr 10 16:40:53 EDT 2014

Previous message: [Hidden-tech] Ecommerce platforms
Next message: [Hidden-tech] illustrator needed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As a provider or tech supporter

Here are just some notes for you to followup on:

Basic Info here: http://heartbleed.com

Since this has recently been highly publicized, I expect that we will see an uptick in 
activity on this vulnerability.

Test websites: (so you can see if servers you deal with have the issue)
http://filippo.io/Heartbleed/
https://github.com/FiloSottile/Heartbleed - the testing code


NOTE: OpenSSH's implementation of SSL functionality with OpenSSL is limited to key 
generation/verification/exchange, and it doesn't appear to use the TLS heartbeat code at all.

This vulnerability is related to services implementing SSL/TLS only :

http://superuser.com/questions/739349/does-heartbleed-affect-ssh-keys

More specifics

There is a critical vulnerability that is out in the wild called Heartbleed. We need to 
identify and mitigate anywhere that is vulnerable. The following versions of the library 
are vulnerable:

  * *OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable*
  * OpenSSL 1.0.1g is NOT vulnerable
  * OpenSSL 1.0.0 branch is NOT vulnerable
  * OpenSSL 0.9.8 branch is NOT vulnerable

HOWEVER- not that we cannot simply check the openssl version on a server, as distributions 
back port fixes to previous versions. For example, from Ubuntu 14.04 openssl change log 
(the second SECURITY UPDATE is the one we are discussing:

openssl (1.0.1f-1ubuntu2) trusty; urgency=medium

   * SECURITY UPDATE: side-channel attack on Montgomery ladder implementation
     - debian/patches/CVE-2014-0076.patch: add and use constant time swap in
       crypto/bn/bn.h, crypto/bn/bn_lib.c, crypto/ec/ec2_mult.c,
       util/libeay.num.
     - CVE-2014-0076
   * SECURITY UPDATE: memory disclosure in TLS heartbeat extension
     - debian/patches/CVE-2014-0160.patch: use correct lengths in
       ssl/d1_both.c, ssl/t1_lib.c.
     - CVE-2014-0160

  -- Marc Deslauriers <marc.deslauriers at ubuntu.com>  Mon, 07 Apr 2014 15:37:53 -0400



-- 
Rich Roth
Webmaster/Steering Committee Member
Hidden-tech http://www.hidden-tech.net
The Talent you need is right here,
Join and share your skills
((Sponsored by Thrives Media))
http://www.thrivesmedia.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20140410/506bd47e/attachment.html

Previous message: [Hidden-tech] Ecommerce platforms
Next message: [Hidden-tech] illustrator needed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Hidden-discuss mailing list