Editing 1353: Heartbleed
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 4: | Line 4: | ||
| title = Heartbleed | | title = Heartbleed | ||
| image = heartbleed.png | | image = heartbleed.png | ||
− | | titletext = I looked at some of the data dumps from vulnerable sites, and it was... bad. I saw emails, passwords, password hints. SSL keys and session cookies. Important servers brimming with visitor IPs. Attack ships on fire off the shoulder of Orion, c-beams glittering in the dark near the Tannhäuser Gate. I should probably patch OpenSSL. | + | | titletext = I looked at some of the data dumps from vulnerable sites, and it was ... bad. I saw emails, passwords, password hints. SSL keys and session cookies. Important servers brimming with visitor IPs. Attack ships on fire off the shoulder of Orion, c-beams glittering in the dark near the Tannhäuser Gate. I should probably patch OpenSSL. |
}} | }} | ||
==Explanation== | ==Explanation== | ||
− | The {{w|Heartbleed bug}} refers to a critical bug in the {{w|OpenSSL}} cryptographic library. This bug was publicly revealed on Monday, | + | The {{w|Heartbleed bug}} refers to a critical bug in the {{w|OpenSSL}} cryptographic library. This bug was publicly revealed on Monday, April 7th, 2014. Due to a programming error in OpenSSL versions 1.0.1 through 1.0.1f — meaning the bug had existed for two years — attackers could read random server memory by sending specially prepared HeartbeatRequest messages to an affected server. |
− | OpenSSL is a very commonly used library to implement {{w|SSL/TLS}}, a cryptographic protocol not only used to secure web traffic but also for mail clients and much more. Only the user and the server can read the communication. On the web the protocol is ''https://'' (HTTP Secure), instead of the open ''http://'' standard. SSL is often used to protect sensitive web traffic, such as login requests, which contains the | + | OpenSSL is a very commonly used library to implement {{w|SSL/TLS}}, a cryptographic protocol not only used to secure web traffic but also for mail clients and much more. Only the user and the server can read the communication. On the the web the protocol is ''https://'' (HTTP Secure), instead of the open ''http://'' standard. SSL is often used to protect sensitive web traffic, such as login requests, which contains the user names and passwords in the requests. The server sends a certificate to the browser before the secure connection is established. If the certificate is registered the browser accepts it automatically, otherwise the the user gets a popup to accept or reject this insecure certificate. |
− | A vulnerability that lets an attacker read random clumps of memory on the server would possibly let an attacker find recent username/password requests, allowing them to gain unauthorized access to user accounts. Even worse, this vulnerability could read the server's private key, enabling anyone to impersonate the server and/or decrypt any future traffic that relies on that key, and any previously obtained prior traffic also, unless a "perfect forward secrecy" | + | A vulnerability that lets an attacker read random clumps of memory on the server would possibly let an attacker find recent username/password requests, allowing them to gain unauthorized access to user accounts. Even worse, this vulnerability could read the server's private key, enabling anyone to impersonate the server and/or decrypt any future traffic that relies on that key, and any previously-obtained prior traffic also, unless a "perfect forward secrecy" ciphers is used, which is currently rare. Furthermore, the hearbleed exploit occurs during the handshake phase of setting up a connection, so no traces of it are logged, i.e. you can be attacked and never be the wiser. |
− | More information is available at [ | + | More information is available at [http://heartbleed.com heartbleed.com] or under CVE-2014-0160, [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 CVE-2014-0160 at nvd.nist.gov] |
− | + | The title text cites the {{w|Tears in rain soliloquy}}, the dying words of the replicant and main antagonist Roy Batty (played by {{w|Rutger Hauer}}) in the 1982 film ''{{w|Blade Runner}}'', implying that the 64Kb HeartBleed buffer is so complete it includes memories from replicant brains. | |
− | |||
− | The title text cites the {{w|Tears in rain soliloquy}}, the dying words of the replicant and main antagonist Roy Batty (played by {{w|Rutger Hauer}}) in the 1982 film ''{{w|Blade Runner}}'', implying that the | ||
− | |||
− | |||
===Heartbleed=== | ===Heartbleed=== | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | TLS (Transport Layer Security, the successor to SSL - Secure Sockets Layer, described in [http://tools.ietf.org/html/rfc5246 RFC 5246]) provides end-to-end encryption for data transmitted over the internet. The Heartbeat extension to TLS introduced in 2012 (described in [https://tools.ietf.org/html/rfc6520 RFC 6520]) provides a protocol for keeping an encrypted TLS session alive with the server, so you do not have to do a costly TLS handshake with the server. The Heartbeat protocol involves the client sending a packet with an arbitrary payload (e.g., a random 16-byte number) that the server periodically sends back to the client to tell the client that the TLS session is still alive. When the client sends the packet to a vulnerable version of OpenSSL, the OpenSSL server reads a payload_size, a 2-byte number (0 to 0xffff=65535) that is supposed to describe the size of the payload. Then the OpenSSL library writes the payload to memory, but it does not check that the size of the payload matches the payload_size taken from the client's header. Then when the vulnerable server sends back the Heartbeat KeepAlive response to the client, it will readout however payload_size number of bytes and send them back to the server. So if you send a payload that is actually 16 bytes, but claims it is 0xffff bytes you will read the next 64KiB of memory from the vulnerable process (typically a web server, but could also be a database, email, other server). An attacker can repeat this attack many times and can do this attack early in the TLS handshake, so the attack will not in any way be logged (unless they are logging every incoming packet which is not typical and would result in many passwords being logged). | |
− | It | + | It is worth noting that [modern operating systems use a virtual memory abstraction above physical memory](http://security.stackexchange.com/a/55271/2568). This means every process can only access memory assigned to it, so it would be impossible for a vulnerable web server to read memory assigned to another process (like a text editor that has erotic fan fiction stored to memory) on the same computer. |
− | + | It also should be noted that this heartbleed bug only affects TLS, and does not affect OpenSSH which does not use the TLS protocol, but uses the SSH-2 protocol (described in [http://tools.ietf.org/html/rfc4251 RFC 4251] a distinct protocol. | |
− | + | Vulnerable sysadmins need to update to a patched version of OpenSSL or one with the Heartbeats disabled, revoke their old TLS keys, and generate new TLS keys (as their old key may have been compromised). | |
− | + | Users of vulnerable systems should change their passwords after the sysadmins have revoked their old key and issued new ones (as their passwords may have been compromised). | |
==Transcript== | ==Transcript== | ||
Line 55: | Line 46: | ||
{{comic discussion}} | {{comic discussion}} | ||
− | |||
− | |||
− |