Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
04-17-2014, 06:34 PM
|
#1
|
Member
Registered: Aug 2012
Posts: 484
Rep:
|
Heartbleed: cauterizing the wounds
The Internet continues to recover from the body blow delivered by OpenSSL's " heartbleed" flaw. Organizations scramble
to re-key certificates, CAs fill up CRL lists at exponential rates, while end-users change critical passwords.
CloudFlare's "steal our SSL keys" challenge played a pivotal role in how heartbleed is getting managed. Crowd-sourcing the
investigation of whether private keys were vulnerable or not turned out to be an inspired decision. Thanks to them, the
answer arrived quickly and violently: yes they are!
Suddenly we knew we weren't in the land of "what if"s - the threat was very serious and very real.
CloudFlare's written a nice summary which I recommend. In addition to providing useful information regarding heartbleed,
private keys, and RSA, it lists their challenge winners.
As it turns out, the hall-of-fame includes a slacker. Lucky 13!
--mancha
|
|
|
04-17-2014, 06:53 PM
|
#2
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
Congratz on your work.
Quote:
A nagging question is why, when OpenSSL has functions to cleanse memory, are these chunks of keys being found in memory. We are continuing to investigate and if a bug is found will submit a patch for OpenSSL.
|
http://blog.cloudflare.com/the-heart...d-and-reissued
This might be an answer:
Quote:
So years ago we added exploit mitigations counter measures to libc
malloc and mmap, so that a variety of bugs can be exposed. Such
memory accesses will cause an immediate crash, or even a core dump,
then the bug can be analyed, and fixed forever.
Some other debugging toolkits get them too. To a large extent these
come with almost no performance cost.
But around that time OpenSSL adds a wrapper around malloc & free so
that the library will cache memory on it's own, and not free it to the
protective malloc.
You can find the comment in their sources ...
#ifndef OPENSSL_NO_BUF_FREELISTS
/* On some platforms, malloc() performance is bad enough that you can't just
OH, because SOME platforms have slow performance, it means even if you
build protective technology into malloc() and free(), it will be
ineffective. On ALL PLATFORMS, because that option is the default,
and Ted's tests show you can't turn it off because they haven't tested
without it in ages.
So then a bug shows up which leaks the content of memory mishandled by
that layer. If the memoory had been properly returned via free, it
would likely have been handed to munmap, and triggered a daemon crash
instead of leaking your keys.
|
http://article.gmane.org/gmane.os.openbsd.misc/211963
|
|
1 members found this post helpful.
|
04-18-2014, 06:47 AM
|
#3
|
Senior Member
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557
|
Quote:
Originally Posted by mancha
As it turns out, the hall-of-fame includes a slacker. Lucky 13!
|
Nice to see your name there. Well done!
And a big thanks for all your efforts in trying to keep your fellow Slackers secure.
|
|
1 members found this post helpful.
|
04-18-2014, 07:41 AM
|
#4
|
LQ Addict
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,260
Rep:
|
Quote:
Originally Posted by ruario
And a big thanks for all your efforts in trying to keep your fellow Slackers secure.
|
... Big thanks as well from another Slacker.
|
|
1 members found this post helpful.
|
04-18-2014, 12:04 PM
|
#5
|
Member
Registered: Aug 2004
Location: MD
Distribution: Slackware
Posts: 114
Rep:
|
Thanks for the recap, and nice work!
|
|
|
04-19-2014, 06:33 AM
|
#6
|
Member
Registered: Sep 2011
Posts: 925
|
Meanwhile in OpenBSD land: http://opensslrampage.org/
|
|
1 members found this post helpful.
|
04-19-2014, 12:21 PM
|
#7
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
Quote:
Originally Posted by jtsn
|
I do wonder why openssl devs insist on implementing their own versions of standard library functions, and doing a horrible job of it while they are at it. It might be because of performance, but isn't openssl supposed to be about security ? Maybe not.
|
|
|
04-20-2014, 09:13 AM
|
#8
|
LQ Guru
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,564
|
I'm starting to get more worried about now who these people are and if there's a reason behind this serious security flaw since all that crap about the NSA and Edward Snowden went public and viral. NSA leaked info said that the NSA had slipped people into development teams, bribed, conned, or forced projects and operating systems closed source and open source to have security flaws that the NSA could exploit.
I don't intent to start any conspiracy thought and theories but these are serious security flaws that have compromised an extremely high level of internet websites and databases to have been caused by something so trivial on the level as a decimal point off by one digit if that's a near-accurate comparison.
If HeartBleed has been around this long as a bug, there's no telling how long our information both public and private has been leaking and bleeding out and even worse, who has known about it all this time, and never breathed so much as a sigh about it, and was tapping into our lives in the dark unnoticed.
Even worse, I wonder how many other unknown security flaws still exist in other projects that are nearly on the same level of critical as HeartBleed that are out there possibly being exploited in the dark. I'm not saying we need to start blaming people directly, start background checking developers, or force code audits on a massive scale, but we should start being more cautious.
Last edited by ReaperX7; 04-20-2014 at 09:16 AM.
|
|
2 members found this post helpful.
|
04-20-2014, 10:16 AM
|
#9
|
Member
Registered: Dec 2013
Location: NJ / USA
Distribution: Slackware 64 -Current
Posts: 232
Rep:
|
I am less knowledgeable about security then most but wouldn't most of these exploits be protected if most people used multiple layers of security such as Hardware and software firewalls, SSL certs + passwords, and simply changing the default ports these "security flawed" services run on ? I have also come to reliazed there is no such thing as Secure once a system is connected to the internet.
This is a little Of topic but
RE:ReaperX7
Quote:
I'm starting to get more worried about now who these people are and if there's a reason behind this serious security flaw since all that crap about the NSA and Edward Snowden went public and viral. NSA leaked info said that the NSA had slipped people into development teams, bribed, conned, or forced projects and operating systems closed source and open source to have security flaws that the NSA could exploit.
|
If people really thought there data wasn't being spied on by the governments of the world, I have to say most people are oblivious. I actually want my government to be spying on us, It helps keep us safe, we do have laws that make the information they gather worthless in court. Also I look at it this way.... If I don't do anything Bad then they wont bother with me anyway. Who cares if they have those "naked Photos" from that crazy weekend (warning it can make them go blind) and those love letters i wrote to an EX. Its their waste of time not mine Being spied on is nothing new just something we have to expect, and for those Facebook,Twitter,Myspace ect ect users just keep making their job easier they know with you and your friends associate with and what your "behaviour profile" is without even interviewing you. And for advice to anyone doing something illegal Dont use anything that is electric, Sound proof your rooms, and trust noone , or just stop it
my
Last edited by linuxtinker; 04-20-2014 at 10:17 AM.
|
|
|
04-20-2014, 11:52 AM
|
#10
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
I was gonna ask if there is an alternative to openssl, but looking around there probably isn't. I don't know how many programs will build with GNUTLS instead of openssl, and there are many to rebuild.
|
|
|
04-20-2014, 11:59 AM
|
#11
|
Member
Registered: Dec 2013
Location: NJ / USA
Distribution: Slackware 64 -Current
Posts: 232
Rep:
|
Had to do the Quick google search for alts to Openssl... Found this one
http://www.yassl.com/yaSSL/Home.html
Looks interesting
***** Not Truly open
Quote:
Open Source
CyaSSL, yaSSL, wolfCrypt, the yaSSL Embedded Web Server, yaSSH and TaoCrypt software are free software downloads and may be modified to the needs of the user as long as the user adheres to version two of the GPL License. The GPLv2 license can be found on the gnu.org website (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html).
and Commercial Licensing
|
Last edited by linuxtinker; 04-20-2014 at 12:01 PM.
Reason: Update
|
|
|
04-20-2014, 12:04 PM
|
#12
|
Member
Registered: Sep 2011
Posts: 925
|
Quote:
Originally Posted by metaschima
I was gonna ask if there is an alternative to openssl, but looking around there probably isn't.
|
There is Mozilla libnss, which has its own API of course and isn't a drop-in replacement for OpenSSL.
|
|
|
04-20-2014, 12:15 PM
|
#13
|
LQ Guru
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,564
|
I'm surprised GNUTLS isn't as widely used.
|
|
|
04-20-2014, 12:22 PM
|
#14
|
Member
Registered: Dec 2013
Location: NJ / USA
Distribution: Slackware 64 -Current
Posts: 232
Rep:
|
Quote:
Originally Posted by ReaperX7
I'm surprised GNUTLS isn't as widely used.
|
This is one guys opion about it
|
|
|
04-20-2014, 01:28 PM
|
#15
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
Quote:
Originally Posted by linuxtinker
|
I did see that one before, actually the cyassl has an openssl compatibility layer, but is NOT a drop-in replacement and I don't know which programs can be built against it.
I guess it is sad to see that both openssl and gnutls have major internal coding issues. Maybe someone should start a kickstarter program to audit the code like truecrypt recently did. These are the very foundation of security for Linux, so it would definitely be worth it.
|
|
|
All times are GMT -5. The time now is 07:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|