LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 04-17-2014, 06:34 PM   #1
mancha
Member
 
Registered: Aug 2012
Posts: 484

Rep: Reputation: Disabled
Heartbleed: cauterizing the wounds


The Internet continues to recover from the body blow delivered by OpenSSL's "heartbleed" flaw. Organizations scramble
to re-key certificates, CAs fill up CRL lists at exponential rates, while end-users change critical passwords.

CloudFlare's "steal our SSL keys" challenge played a pivotal role in how heartbleed is getting managed. Crowd-sourcing the
investigation of whether private keys were vulnerable or not turned out to be an inspired decision. Thanks to them, the
answer arrived quickly and violently: yes they are!

Suddenly we knew we weren't in the land of "what if"s - the threat was very serious and very real.

CloudFlare's written a nice summary which I recommend. In addition to providing useful information regarding heartbleed,
private keys, and RSA, it lists their challenge winners.

As it turns out, the hall-of-fame includes a slacker. Lucky 13!

--mancha
 
Old 04-17-2014, 06:53 PM   #2
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Congratz on your work.

Quote:
A nagging question is why, when OpenSSL has functions to cleanse memory, are these chunks of keys being found in memory. We are continuing to investigate and if a bug is found will submit a patch for OpenSSL.
http://blog.cloudflare.com/the-heart...d-and-reissued

This might be an answer:
Quote:
So years ago we added exploit mitigations counter measures to libc
malloc and mmap, so that a variety of bugs can be exposed. Such
memory accesses will cause an immediate crash, or even a core dump,
then the bug can be analyed, and fixed forever.

Some other debugging toolkits get them too. To a large extent these
come with almost no performance cost.

But around that time OpenSSL adds a wrapper around malloc & free so
that the library will cache memory on it's own, and not free it to the
protective malloc.

You can find the comment in their sources ...

#ifndef OPENSSL_NO_BUF_FREELISTS
/* On some platforms, malloc() performance is bad enough that you can't just

OH, because SOME platforms have slow performance, it means even if you
build protective technology into malloc() and free(), it will be
ineffective. On ALL PLATFORMS, because that option is the default,
and Ted's tests show you can't turn it off because they haven't tested
without it in ages.

So then a bug shows up which leaks the content of memory mishandled by
that layer. If the memoory had been properly returned via free, it
would likely have been handed to munmap, and triggered a daemon crash
instead of leaking your keys.
http://article.gmane.org/gmane.os.openbsd.misc/211963
 
1 members found this post helpful.
Old 04-18-2014, 06:47 AM   #3
ruario
Senior Member
 
Registered: Jan 2011
Location: Oslo, Norway
Distribution: Slackware
Posts: 2,557

Rep: Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763Reputation: 1763
Quote:
Originally Posted by mancha View Post
As it turns out, the hall-of-fame includes a slacker. Lucky 13!
Nice to see your name there. Well done!

And a big thanks for all your efforts in trying to keep your fellow Slackers secure.
 
1 members found this post helpful.
Old 04-18-2014, 07:41 AM   #4
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,260

Rep: Reputation: Disabled
Thumbs up

Quote:
Originally Posted by ruario View Post
And a big thanks for all your efforts in trying to keep your fellow Slackers secure.
... Big thanks as well from another Slacker.
 
1 members found this post helpful.
Old 04-18-2014, 12:04 PM   #5
NeoMetal
Member
 
Registered: Aug 2004
Location: MD
Distribution: Slackware
Posts: 114

Rep: Reputation: 24
Thanks for the recap, and nice work!
 
Old 04-19-2014, 06:33 AM   #6
jtsn
Member
 
Registered: Sep 2011
Posts: 925

Rep: Reputation: 483Reputation: 483Reputation: 483Reputation: 483Reputation: 483
Meanwhile in OpenBSD land: http://opensslrampage.org/
 
1 members found this post helpful.
Old 04-19-2014, 12:21 PM   #7
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by jtsn View Post
Meanwhile in OpenBSD land: http://opensslrampage.org/
I do wonder why openssl devs insist on implementing their own versions of standard library functions, and doing a horrible job of it while they are at it. It might be because of performance, but isn't openssl supposed to be about security ? Maybe not.
 
Old 04-20-2014, 09:13 AM   #8
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,564
Blog Entries: 15

Rep: Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117
I'm starting to get more worried about now who these people are and if there's a reason behind this serious security flaw since all that crap about the NSA and Edward Snowden went public and viral. NSA leaked info said that the NSA had slipped people into development teams, bribed, conned, or forced projects and operating systems closed source and open source to have security flaws that the NSA could exploit.

I don't intent to start any conspiracy thought and theories but these are serious security flaws that have compromised an extremely high level of internet websites and databases to have been caused by something so trivial on the level as a decimal point off by one digit if that's a near-accurate comparison.

If HeartBleed has been around this long as a bug, there's no telling how long our information both public and private has been leaking and bleeding out and even worse, who has known about it all this time, and never breathed so much as a sigh about it, and was tapping into our lives in the dark unnoticed.

Even worse, I wonder how many other unknown security flaws still exist in other projects that are nearly on the same level of critical as HeartBleed that are out there possibly being exploited in the dark. I'm not saying we need to start blaming people directly, start background checking developers, or force code audits on a massive scale, but we should start being more cautious.

Last edited by ReaperX7; 04-20-2014 at 09:16 AM.
 
2 members found this post helpful.
Old 04-20-2014, 10:16 AM   #9
linuxtinker
Member
 
Registered: Dec 2013
Location: NJ / USA
Distribution: Slackware 64 -Current
Posts: 232

Rep: Reputation: 99
I am less knowledgeable about security then most but wouldn't most of these exploits be protected if most people used multiple layers of security such as Hardware and software firewalls, SSL certs + passwords, and simply changing the default ports these "security flawed" services run on ? I have also come to reliazed there is no such thing as Secure once a system is connected to the internet.

This is a little Of topic but
RE:ReaperX7

Quote:
I'm starting to get more worried about now who these people are and if there's a reason behind this serious security flaw since all that crap about the NSA and Edward Snowden went public and viral. NSA leaked info said that the NSA had slipped people into development teams, bribed, conned, or forced projects and operating systems closed source and open source to have security flaws that the NSA could exploit.

If people really thought there data wasn't being spied on by the governments of the world, I have to say most people are oblivious. I actually want my government to be spying on us, It helps keep us safe, we do have laws that make the information they gather worthless in court. Also I look at it this way.... If I don't do anything Bad then they wont bother with me anyway. Who cares if they have those "naked Photos" from that crazy weekend (warning it can make them go blind) and those love letters i wrote to an EX. Its their waste of time not mine Being spied on is nothing new just something we have to expect, and for those Facebook,Twitter,Myspace ect ect users just keep making their job easier they know with you and your friends associate with and what your "behaviour profile" is without even interviewing you. And for advice to anyone doing something illegal Dont use anything that is electric, Sound proof your rooms, and trust noone , or just stop it


my

Last edited by linuxtinker; 04-20-2014 at 10:17 AM.
 
Old 04-20-2014, 11:52 AM   #10
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
I was gonna ask if there is an alternative to openssl, but looking around there probably isn't. I don't know how many programs will build with GNUTLS instead of openssl, and there are many to rebuild.
 
Old 04-20-2014, 11:59 AM   #11
linuxtinker
Member
 
Registered: Dec 2013
Location: NJ / USA
Distribution: Slackware 64 -Current
Posts: 232

Rep: Reputation: 99
Had to do the Quick google search for alts to Openssl... Found this one

http://www.yassl.com/yaSSL/Home.html

Looks interesting

***** Not Truly open

Quote:
Open Source

CyaSSL, yaSSL, wolfCrypt, the yaSSL Embedded Web Server, yaSSH and TaoCrypt software are free software downloads and may be modified to the needs of the user as long as the user adheres to version two of the GPL License. The GPLv2 license can be found on the gnu.org website (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html).

and Commercial Licensing

Last edited by linuxtinker; 04-20-2014 at 12:01 PM. Reason: Update
 
Old 04-20-2014, 12:04 PM   #12
jtsn
Member
 
Registered: Sep 2011
Posts: 925

Rep: Reputation: 483Reputation: 483Reputation: 483Reputation: 483Reputation: 483
Quote:
Originally Posted by metaschima View Post
I was gonna ask if there is an alternative to openssl, but looking around there probably isn't.
There is Mozilla libnss, which has its own API of course and isn't a drop-in replacement for OpenSSL.
 
Old 04-20-2014, 12:15 PM   #13
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-15.0 Multilib
Posts: 6,564
Blog Entries: 15

Rep: Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117Reputation: 2117
I'm surprised GNUTLS isn't as widely used.
 
Old 04-20-2014, 12:22 PM   #14
linuxtinker
Member
 
Registered: Dec 2013
Location: NJ / USA
Distribution: Slackware 64 -Current
Posts: 232

Rep: Reputation: 99
Quote:
Originally Posted by ReaperX7 View Post
I'm surprised GNUTLS isn't as widely used.
This is one guys opion about it
 
Old 04-20-2014, 01:28 PM   #15
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Originally Posted by linuxtinker View Post
Had to do the Quick google search for alts to Openssl... Found this one

http://www.yassl.com/yaSSL/Home.html

Looks interesting

***** Not Truly open
I did see that one before, actually the cyassl has an openssl compatibility layer, but is NOT a drop-in replacement and I don't know which programs can be built against it.

I guess it is sad to see that both openssl and gnutls have major internal coding issues. Maybe someone should start a kickstarter program to audit the code like truecrypt recently did. These are the very foundation of security for Linux, so it would definitely be worth it.
 
  


Reply

Tags
heartbleed, openssl, security, security recommendations, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Licking the wounds...and moving on :) ButterflyMelissa Linux - Newbie 6 05-05-2013 04:02 PM
Licking my wounds here :) ButterflyMelissa Linux - Software 9 10-13-2012 01:02 PM
LXer: Fragmentation bomb wounds Android in developer war LXer Syndicated Linux News 0 03-20-2012 12:10 PM
LXer: Refusing to Treat Self-Inflicted wounds LXer Syndicated Linux News 0 02-23-2010 06:50 PM
Killing Mozilla wounds Evolution dhave Slackware 6 03-08-2005 02:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 07:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration