LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Heartbleed: cauterizing the wounds (http://www.linuxquestions.org/questions/slackware-14/heartbleed-cauterizing-the-wounds-4175502108/)

mancha 04-17-2014 06:34 PM

Heartbleed: cauterizing the wounds
 
The Internet continues to recover from the body blow delivered by OpenSSL's "heartbleed" flaw. Organizations scramble
to re-key certificates, CAs fill up CRL lists at exponential rates, while end-users change critical passwords.

CloudFlare's "steal our SSL keys" challenge played a pivotal role in how heartbleed is getting managed. Crowd-sourcing the
investigation of whether private keys were vulnerable or not turned out to be an inspired decision. Thanks to them, the
answer arrived quickly and violently: yes they are!

Suddenly we knew we weren't in the land of "what if"s - the threat was very serious and very real.

CloudFlare's written a nice summary which I recommend. In addition to providing useful information regarding heartbleed,
private keys, and RSA, it lists their challenge winners.

As it turns out, the hall-of-fame includes a slacker. Lucky 13!

--mancha

metaschima 04-17-2014 06:53 PM

Congratz on your work.

Quote:

A nagging question is why, when OpenSSL has functions to cleanse memory, are these chunks of keys being found in memory. We are continuing to investigate and if a bug is found will submit a patch for OpenSSL.
http://blog.cloudflare.com/the-heart...d-and-reissued

This might be an answer:
Quote:

So years ago we added exploit mitigations counter measures to libc
malloc and mmap, so that a variety of bugs can be exposed. Such
memory accesses will cause an immediate crash, or even a core dump,
then the bug can be analyed, and fixed forever.

Some other debugging toolkits get them too. To a large extent these
come with almost no performance cost.

But around that time OpenSSL adds a wrapper around malloc & free so
that the library will cache memory on it's own, and not free it to the
protective malloc.

You can find the comment in their sources ...

#ifndef OPENSSL_NO_BUF_FREELISTS
/* On some platforms, malloc() performance is bad enough that you can't just

OH, because SOME platforms have slow performance, it means even if you
build protective technology into malloc() and free(), it will be
ineffective. On ALL PLATFORMS, because that option is the default,
and Ted's tests show you can't turn it off because they haven't tested
without it in ages.

So then a bug shows up which leaks the content of memory mishandled by
that layer. If the memoory had been properly returned via free, it
would likely have been handed to munmap, and triggered a daemon crash
instead of leaking your keys.
http://article.gmane.org/gmane.os.openbsd.misc/211963

ruario 04-18-2014 06:47 AM

Quote:

Originally Posted by mancha (Post 5154748)
As it turns out, the hall-of-fame includes a slacker. Lucky 13!

Nice to see your name there. Well done!

And a big thanks for all your efforts in trying to keep your fellow Slackers secure.

Didier Spaier 04-18-2014 07:41 AM

Quote:

Originally Posted by ruario (Post 5154996)
And a big thanks for all your efforts in trying to keep your fellow Slackers secure.

... Big thanks as well from another Slacker.

NeoMetal 04-18-2014 12:04 PM

Thanks for the recap, and nice work!

jtsn 04-19-2014 06:33 AM

Meanwhile in OpenBSD land: http://opensslrampage.org/

metaschima 04-19-2014 12:21 PM

Quote:

Originally Posted by jtsn (Post 5155447)
Meanwhile in OpenBSD land: http://opensslrampage.org/

I do wonder why openssl devs insist on implementing their own versions of standard library functions, and doing a horrible job of it while they are at it. It might be because of performance, but isn't openssl supposed to be about security ? Maybe not.

ReaperX7 04-20-2014 09:13 AM

I'm starting to get more worried about now who these people are and if there's a reason behind this serious security flaw since all that crap about the NSA and Edward Snowden went public and viral. NSA leaked info said that the NSA had slipped people into development teams, bribed, conned, or forced projects and operating systems closed source and open source to have security flaws that the NSA could exploit.

I don't intent to start any conspiracy thought and theories but these are serious security flaws that have compromised an extremely high level of internet websites and databases to have been caused by something so trivial on the level as a decimal point off by one digit if that's a near-accurate comparison.

If HeartBleed has been around this long as a bug, there's no telling how long our information both public and private has been leaking and bleeding out and even worse, who has known about it all this time, and never breathed so much as a sigh about it, and was tapping into our lives in the dark unnoticed.

Even worse, I wonder how many other unknown security flaws still exist in other projects that are nearly on the same level of critical as HeartBleed that are out there possibly being exploited in the dark. I'm not saying we need to start blaming people directly, start background checking developers, or force code audits on a massive scale, but we should start being more cautious.

linuxtinker 04-20-2014 10:16 AM

I am less knowledgeable about security then most but wouldn't most of these exploits be protected if most people used multiple layers of security such as Hardware and software firewalls, SSL certs + passwords, and simply changing the default ports these "security flawed" services run on ? I have also come to reliazed there is no such thing as Secure once a system is connected to the internet.

This is a little Of topic but
RE:ReaperX7

Quote:

I'm starting to get more worried about now who these people are and if there's a reason behind this serious security flaw since all that crap about the NSA and Edward Snowden went public and viral. NSA leaked info said that the NSA had slipped people into development teams, bribed, conned, or forced projects and operating systems closed source and open source to have security flaws that the NSA could exploit.

If people really thought there data wasn't being spied on by the governments of the world, I have to say most people are oblivious. I actually want my government to be spying on us, It helps keep us safe, we do have laws that make the information they gather worthless in court. Also I look at it this way.... If I don't do anything Bad then they wont bother with me anyway. Who cares if they have those "naked Photos" from that crazy weekend (warning it can make them go blind) and those love letters i wrote to an EX. Its their waste of time not mine :) Being spied on is nothing new just something we have to expect, and for those Facebook,Twitter,Myspace ect ect users just keep making their job easier they know with you and your friends associate with and what your "behaviour profile" is without even interviewing you. And for advice to anyone doing something illegal Dont use anything that is electric, Sound proof your rooms, and trust noone , or just stop it :D


my :twocents:

metaschima 04-20-2014 11:52 AM

I was gonna ask if there is an alternative to openssl, but looking around there probably isn't. I don't know how many programs will build with GNUTLS instead of openssl, and there are many to rebuild.

linuxtinker 04-20-2014 11:59 AM

Had to do the Quick google search for alts to Openssl... Found this one

http://www.yassl.com/yaSSL/Home.html

Looks interesting

***** Not Truly open

Quote:

Open Source

CyaSSL, yaSSL, wolfCrypt, the yaSSL Embedded Web Server, yaSSH and TaoCrypt software are free software downloads and may be modified to the needs of the user as long as the user adheres to version two of the GPL License. The GPLv2 license can be found on the gnu.org website (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html).

and Commercial Licensing


jtsn 04-20-2014 12:04 PM

Quote:

Originally Posted by metaschima (Post 5156047)
I was gonna ask if there is an alternative to openssl, but looking around there probably isn't.

There is Mozilla libnss, which has its own API of course and isn't a drop-in replacement for OpenSSL.

ReaperX7 04-20-2014 12:15 PM

I'm surprised GNUTLS isn't as widely used.

linuxtinker 04-20-2014 12:22 PM

Quote:

Originally Posted by ReaperX7 (Post 5156061)
I'm surprised GNUTLS isn't as widely used.

This is one guys opion about it

metaschima 04-20-2014 01:28 PM

Quote:

Originally Posted by linuxtinker (Post 5156050)
Had to do the Quick google search for alts to Openssl... Found this one

http://www.yassl.com/yaSSL/Home.html

Looks interesting

***** Not Truly open

I did see that one before, actually the cyassl has an openssl compatibility layer, but is NOT a drop-in replacement and I don't know which programs can be built against it.

I guess it is sad to see that both openssl and gnutls have major internal coding issues. Maybe someone should start a kickstarter program to audit the code like truecrypt recently did. These are the very foundation of security for Linux, so it would definitely be worth it.


All times are GMT -5. The time now is 11:59 PM.