Blog

Impact of a tiny bug

As you may have heard, on Monday, a group of security engineers reported the existence of the 'Heartbleed' bug in OpenSSL. It has since sent waves through the internet community, and for good reason; OpenSSL is used by most of the internet for encryption.

Why is this bug so important?

Most people outside of the tech circles have never heard of OpenSSL before today and still do not understand what the software does. SSL (Secure Sockets Layer), which you probably have heard about, is the encryption protocol used to securely transfer data between an internet server and a client (like a web browser). SSL uses an asymmetric method where the server sends the client a public encryption key which can encrypt data but can not decrypt it. The server keeps a separate private key which can decrypt the data. This process is inverted for data being sent to the client.

OpenSSL is a open source application which is used by various tools to encrypt and decrypt data. This asymmetric system is valuable for a wide range of applications, including securing email transmission, FTPs and file uploads.

The actual error in the code was traced back to a change made roughly two years ago.

How to fix

Fixing the bug requires you to update OpenSSL to version 1.0.1g. This is the newest release which came out with the announcement of the bug on Monday.

AWS Server

These instructions assume you have already setup an instance and have an SSH client available.

  1. Log in to your instance via the SSH client and transfer to the root user.
  2. Run the YUM update command for the "openssl" package
  3. Press "Y" when it asks if you want to update the package
  4. Verify the installation occurred correctly by starting/restarting the httpd service
  5. Revoke and reissue all SSL certificates (including self-signed ones).

Summary of command line inputs

  • $ sudo su
  • $ yum update openssl
  • .....
  • $ service httpd restart

Other Software

  • Apache (via mod_ssl or apache-ssl)
  • nginx
  • cURL (including php curl extension)
  • WinSCP
  • cryptozilla
  • Wordpress
  • Wu-FTPd/SSL
  • RaidenFTPD for Windows
  • sNFS
  • JavaSSL
  • SSLJava
  • Samba
  • Kermit
  • Roxen Challenger
  • OpenCA
  • Postfix
  • QMail
  • SSA (Secure Sockets Agent)
  • slush
  • nsyslog
  • CashCow
  • pyCA
  • MySSL
  • M2Crypto
  • Sendmail
  • SafeGossip
  • KeyNote
  • sslproxy
  • OpenSSH
  • FISH
  • mini_httpd
  • Pavuk
  • ntop
  • start_tls-telnet
  • Fetchmail
  • Lynx
  • Courier-Imap
  • BIND
  • RubyPKI
  • TinySSL
  • XMLSec
  • OpenTSA (Open Time Stamping Authority app)
  • CSP
  • XCA
  • DelphiImport

This is not an all encompassing list. I'll update it as I find more applications which use OpenSSL.

Secondary Impact

Most people who use the internet do not directly use any of the aforementioned software.The biggest implication of this security hole is its usage with Apache and nginx, which combined run about 66%[1] of all websites in the world. If you have recently (within the last 2 years) used any website which uses Apache or nginx, your username and password might have been visible. This means you need to change EVERY username/password pair you have.

Popular Websites Known to be Vulnerable

  • Google (including gmail)
  • YouTube
  • Facebook
  • Yahoo
  • Instagram
  • Pinterest
  • Tumblr
  • Etsy
  • GoDaddy
  • Flickr
  • Minecraft
  • Netflix
  • SoundCloud
  • USAA
  • Box.com
  • DropBox
  • GitHub
  • IFTT
  • OkCupid
  • Wordpress.com
  • Wunderlist

Some of these websites use 2-step authentication to validate users identities, which makes it more challenging to use the username/password to impersonate a user, but it does prevent it. This is especially true if you use the same username/ password paring in multiple locations (like your email account and Facebook).

Simply, you should replace ALL passwords this weekend.

 

Problems Updating Desktop Software

Many open source (ie free) desktop applications that use OpenSSL for security purposes. This software needs to be updated also, however the urgency with updating it is much lower because this software is regularly shutdown (unlike Apache which must be running when someone request a website) which clears the memory, and often the information it holds in memory is the content sent by the server, which does not include the username / password pairs.

Also, if someone hacked your computer, there are much easier ways to obtain sensitive information than the Heartbleed bug. Simple key stroke recorders and screen swipers would gain much more valuable information. You still need to update these applications, but if it doesn't happen for a week or two, you do not need to freak out.

References:

  1. Netcraft's April 2014 Web Server Survey