WARNING! I am not expert in field.
Table of content:
- What is OpenSSL?
- What happen?
- Consequences
- Interesting links and resources about heartbleed bug(If you want know more: )
- My opinion
Everyday,we hear about new 'critical' bugs was found in project x,website y or OS Z.
Some of them are more or less scary.
Recently, folks from Google Security(Neel Mehta) found a serious bug in OpenSSL, which exists for .. .2 years. Other folks Bodo Moeller and Adam Langley created a fix for OpenSSL.
What is OpenSSL?
OpenSSL is a cryptographic software library. It is an open-source implementation of the SSL and TLS protocols. these protocols are response for communication security over the Internet. (from Wikipedia).
It is widely used library in software.
For example:- Apache and Nginx servers (Nearly 70% website uses this software!)
- Heroku (Cloud Application Platform)
- WordPress (a free and open source blogging tool and a content management system)
- Multiple Cisco Products
- Android 4.1.1 (Jelly Bean)
Let's starts from official information.
OpenSSL Security Advisory states :"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.". OpenSSL 1.0.1 until -1 .0.1f versions are affected by this vulnerability . (from https://www.openssl.org/news/secadv_20140407.txt)
If you have no clue what does means (like me) ,then I may explain consequences of problem:
"This bug allows anyone on the Internet to obtain private keys ,secrets (to identify the service providers and to encrypt the traffic), the names and passwords of the users and the actual content. " from http://heartbleed.com
Oh dear.
Consequences
Is shortcut ... Huston,we have a problem. a BIG ONE.
It means somebody can stole your digital valuables .It means DISASTER.
Sounds scary? Well,because it is!
Good news:
- It is not end of the world.
Bad news:
- It will cause lots of troubles soon,but it will be fine.
- First many pages will display certificates issues.
- Some software will have emergency releases.
If you want know more:
If you want learn more about heartbleed bug then :
- If you need all essential information about bug and what to do look here:
- Some technical information about bug(where is,how fix looks like and etc,) is :
- To test are you affected (for website owners or to check service where you store critical data),go here:
- Other
- https://xkcd.com/1353/ [comics strip from xkcd ]
- https://xkcd.com/1354/ [comics strip from xkcd ]
My opinion:- https://xkcd.com/1353/ [comics strip from xkcd ]
- https://xkcd.com/1354/ [comics strip from xkcd ]
Bugs happen and they will happen.
I feel sorry for guy(Dr. Stephen Henson) who introduce bug in this git commit (git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4817504 . (Git is cruel !)
Many people go wild with criticising OpenSSL team for that bug.
BUT ...
OpenSSL is open-source.It means:
- It is everybody responsibility to take care about it.
- if you believe that something is needed (for example: security audit ),DO IT and share result with OpenSSL community (too expensive? Use croudfunding solution instead).
- It must be better donated (if you want donate openSSL folks https://www.openssl.org/support/donations.html )
So people,stop blaming and bitching about it.It is useless and you waste your time.Use these time to improve OpenSSL instead.
Another question is about secure programming in C. Many people said that these days , secure programming in C is almost mission impossible and it should be rewritten BUT ... atm. YOU must live with fact that OpenSSL is written in C.
Sources:
- http://heartbleed.com
- http://news.ycombinator.com
- http://niebezpiecznik.pl
- https://www.openssl.org
- https://www.openssl.org/news/secadv_20140407.txt
- http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
- http://blog.cryptographyengineering.com/2014/04/attack-of-week-openssl-heartbleed.html
No comments:
Post a Comment