[olug] Heartbleed

Tony Gies tony.gies at gruppe86.net
Fri Apr 11 17:00:00 UTC 2014


This is a good example of why it's wise to do SSL/TLS termination
out-of-process, where possible. Previously I had done this out of
concern that a web server exploit might expose sensitive information
(private keys etc.) from SSL, never suspecting that in fact the
inverse would actually happen. If your SSL termination gets popped,
you still have a huge problem -- the attacker can probably get your
private key and find out some information about other requests made
through the tunnel -- but they don't have a magic portal from SSL
termination to your whole application layer or vice versa, because the
underlying OS virtual memory protection keeps these things separate
(unless your attacker has a kernel exploit). FreeBSD security
dude/Tarsnap operator Colin Percival wrote about this here:
http://www.daemonology.net/blog/2009-09-28-securing-https.html

Also, consider this your kick in the pants to implement SSL/TLS
Perfect Forward Secrecy if you haven't. I do a lot of consulting
basically beefing up people's SSL configuration from the defaults that
haven't been changed since 2001 and it's really not hard to set up. I
may give a talk on it at some point.


Tony Gies <tony.gies at gruppe86.net>
Technical Projects Director
gruppe86 | IT Consulting, Software Development, Systems Integration


On Wed, Apr 9, 2014 at 9:43 PM, unfy <olug at unfy.org> wrote:
> This has gotten a fair bit of press, which is good.  Reminds me of the
> debian cert issues / rng / 64k etc thing :D.
>
> At my work, our policy tends to be 'if it aint broke, dont fix it'.
>
> Thus, none of our stuff was running the 1.x branch of openssl stuff, all of
> it's 0.9.x stuff.
>
> No massive run around to 400+ locations to fix openssl stuff for meeeeeee
> yay!
>
> -Will
>
>
> On 4/9/2014 6:39 PM, Justin Reiners wrote:
>>
>> Yes over the next few days I will be changing certs as well as passwords
>> on
>> the entire network. We are waiting for certs to be reissued now. All
>> outward facing servers are patched now. Working on the rest tomorrow
>>
>> Luckily patching is a piece of cake.
>> On Apr 9, 2014 6:12 PM, "Jeff Hinrichs - DM&T" <jeffh at dundeemt.com> wrote:
>>
>>> Admins: Not only certs but you should force users to change their
>>> passwords.
>>>
>>> Users: If you haven't changed your passwords in a while/ever now is the
>>> time.  Password managers are your friend.
>>>
>>> Last article I saw was estimating 2/3 of the internet was affected.
>>>   Personally, our systems were 50% affected.  If you were vulnerable, you
>>> have to assume you were compromised.
>>>
>>> -j
>>>
>>>
>>> On Wed, Apr 9, 2014 at 6:01 PM, Tom Fritz <tfritz at me.com> wrote:
>>>
>>>>> I will assume that the slow traffic on the mailing list tonight is
>>>>> because we are all busy checking our systems for the openssl heartbleed
>>>>> vulnerability.
>>>>>
>>>>> If you aren't, you should be.
>>>>>
>>>>> RHEL/CentOS folks, please see this note:
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1084875#c9
>>>>>
>>>>> Red Hat announcement:
>>>>> https://access.redhat.com/site/announcements/781953
>>>>>
>>>>> Fedora Announcement:
>>>>>
>>> https://lists.fedoraproject.org/pipermail/announce/2014-April/003205.html
>>>>
>>>>          There appears to be some confusion if applying the fix is
>>>> enough.
>>>> If your server has been compromised you need to regen/replace your certs
>>>> after installing the fixed openssl. I have talked with some folks and
>>>
>>> they
>>>>
>>>> think updating the openssl is enough and it may not be. You can't detect
>>>
>>> if
>>>>
>>>> your system has been compromised. I also haven't seen an IDS/IPS
>>>
>>> signature
>>>>
>>>> released. If someone otherwise please share.
>>>>
>>>> Tom.
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>
>>>
>>>
>>> --
>>> Best,
>>>
>>> Jeff Hinrichs
>>> 402.218.1473
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug


More information about the OLUG mailing list