The Encryption Flaw in the News

[Starfleet Engineer]

http://tablet.olivesoftware.com/Oli...edArticle.aspx?href=AAS/2014/04/09&id=Ar00303

So, it seems like it wouldn't do any good to change your passwords unless the sites you use have implemented the fix. How would you know if they have? I haven't seen, read or received anything from sites I use saying it's been plugged. Am I missing something? This seems to be something that effects a large percentage of sites, right?

 

[JanewayRulz!]

The CNNMoney story has a link ...


http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html?hpt=hp_t3

to someone who claims to be able to tell you that.

http://filippo.io/Heartbleed/

 

[Robert Maxwell]

Thanks for the link, JanewayRulz! I think that's probably your best bet to find out if a given site has fixed the issue (or never had it in the first place.)

It does affect a lot of sites because OpenSSL is an extremely common program and is used on numerous sites that deal with secured connections.

 

[gturner]

Darn, another encryption flaw that was vital to national security is ruined.

 

[Unicron]

I get the impression that Amazon is one of the sites that's already fixed potential problems (hopefully). I suppose I'm curious, as someone with only a very basic knowledge of web design elements, how reliable the test link is.

 

[JanewayRulz!]

I suppose I'm curious, as someone with only a very basic knowledge of web design elements, how reliable the test link is.

Yeah, even the CNNMoney article wasn't ready to claim that link "worked" and I quote...

Italian cryptographer Filippo Valsorda launched the "Heartbleed Test," which purports to tell you if websites are still compromised.

Hmmm, THEY couldn't test it for us and say ...

"Looks good so far."

or

"IT'S BOGUS, RUN FOR YOUR LIVES!"

 

[Unicron]

I've already reset a couple of my passwords just to be safe, and I'm crossing my fingers that I and everyone else will stay protected. Given how long this vulnerability has been known to exist, I'd like to think perhaps many of us have been lucky and never had an issue. But one can never be too careful, so I hope that everyone will continue to have that degree of luck.

 

[YellowSubmarine]

As an aside, XKCD has featured a comic showing how Heartbleed works in the most simple terms. It's a good illustration for someone not familiar with the matter on how a flaw like this happens.

The technical details on why it happened are even more ridiculous. It is a result of many things going wrong because of programmers doing what you'd expect them never to do. One of the blunders has been rightfully called "exploit mitigation countermeasures". Several operating systems introduced a security feature that would prevent bugs exactly like this one from ever happening. Well, the developers of everyone's favourite security library decided this was slow on some systems, so they decided to look for a way around it. And went without it on all. Then to make it an even bigger mess, they made their library rely on the lack of security to work - those that tried to disable the misfeature have been surprised to find their library no longer works.

Spoiler: for C programmers

After getting rid of the overprotective malloc, OpenSSL decided it was fun to do the equivalent of:

s = malloc(sizeof(record_t));
/* do something stupid with s */
free(s);
if (s->still_needed) s = malloc(sizeof(record_t));
/* continue doing something stupid with s */

And the source code commit at Github has gotten the Picard facepalm. I am a little bit mixed on this. The guy who introduced Heartbleed is the least to blame in the whole mess, besides what he did a honest mistake any programmer could.

Why is anyone using OpenSSL is beyond me.

If only everyone would switch to safe libraries RSA BSAFE, then we would all be safe. Er... Wait... What's that? "From 2004 to 2013 the default random number generator in the library contained a backdoor from the American National Security Agency, as part of NSA's secret Bullrun program." Well, fuck.