If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Krebs On Security)   Apparently the "Open" part of OpenSSL refers to the hole big enough for trucks full of your website's secret data   (krebsonsecurity.com) divider line 16
    More: Fail, OpenSSL, trucks, private keys, encryption, ammunition dump, bugs, certifications  
•       •       •

993 clicks; posted to Geek » on 08 Apr 2014 at 6:33 PM (16 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



16 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2014-04-08 04:56:34 PM
And every website on the internet was magically fixing itself as I watched.

Including our deployed EC2 and Heroku apps.

/Now to redeploy every single key ever.  Because until then, you only *look* safe.
 
2014-04-08 05:10:37 PM
So does the NSA get credit for this one, or was it a legitimate 'oops'?
 
2014-04-08 05:19:19 PM

Ivo Shandor: So does the NSA get credit for this one, or was it a legitimate 'oops'?


Technical details here:  http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bu g .html

As best as I can tell, it was an oops.  They never quite thought about the interaction of a poorly behaved client and certain malloc* implementations.

* I need a piece of memory of size X.

/Of course, the best NSA bugs look like oops.  So consult your internal conspiracy theorist.
//Seriously though, we call them bugs because no one can admit to making that many mistakes.
 
2014-04-08 05:41:46 PM
yay for not updating to 1.0.1?
 
ZAZ [TotalFark]
2014-04-08 05:55:33 PM
It's a more subtle array bounds overrun than the usual kind, and still avoidable if you give up a few nanoseconds per packet to transform the bag of bytes into a type-checked data structure.
 
ZAZ [TotalFark]
2014-04-08 06:36:00 PM
Maybe I should elaborate. Look at the code on meyerkev's link.

It's written in the style of the 1980s, when instructions per byte was thought importantl. Many computers couldn't saturate a 10 Mbps ethernet connection. Zero copy was a big deal. Scatter-gather interfaces were almost as good as a woman to a hacker. You didn't translate network blobs into a memory representation, the network blob WAS the memory representation. You cheered when you realized that the wraparound checksum commuted with ntohs, because that noths represented an instruction, or several if you were on a RISC instead of a VAX.

But now for most purposes you can afford to translate network format to a convenient host format, work on that, and undo the transformation to send a reply. It costs you a few cycles, but those are almost free. Cache misses aren't cheap, but writing to the stack doesn't add any cache misses.

In that host format you can have an explicit field length. In any language but C a variable length field is a bounds checked array. In C at least you have a length field that reminds you to be careful.

Some things are still data intensive and demand ugly code, but for a control instead of data message even I, who loved saving bytes and cycles in decades past, will translate into a more useful and safer format.
 
2014-04-08 06:41:21 PM

Ivo Shandor: So does the NSA get credit for this one, or was it a legitimate 'oops'?


img.fark.net
 
2014-04-08 07:24:59 PM

ZAZ: But now for most purposes you can afford to translate network format to a convenient host format, work on that, and undo the transformation to send a reply. It costs you a few cycles, but those are almost free. Cache misses aren't cheap, but writing to the stack doesn't add any cache misses.


The bug was introduced six months ago.  Saving nanoseconds was hardly a concern.
 
2014-04-08 07:46:27 PM
I love how they're quoting a Carnegie Mellon advisory, because in the early 2000s, Carnegie Mellon's web-based mail sent username and passwords in plain text.
 
2014-04-08 08:09:59 PM
http://heartbleed.com

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

There weren't enough eyeballs given.
 
2014-04-08 08:11:40 PM
I read it on Ars this morning so I checked our security reports...we have 4 servers on our team with OpenSSL.  So I go to the site to download and update....and it's farked...all day...

I feel bad for those that had websites with it...they have to do more than just replace the binaries.  From Ars:

"The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there's no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises. "
 
2014-04-08 09:13:59 PM
Dear Hackers,

Please don't tell the world about the disturbing porn I enjoy.

Thanks.
 
2014-04-08 10:18:30 PM
Too bad the open source fanboys are more interested in trolling forums than actually looking at code.
 
2014-04-08 10:25:47 PM
I heard about this just today.

Thankfully, I don't use OpenSSL in ... like, anything.  Still good to know about, though...

/except in, maybe, websites I go *to*, that is
//there's always something new
 
2014-04-09 02:11:25 AM

MrEricSir: Too bad the open source fanboys are more interested in trolling forums than actually looking at code.


Open source meant something when Unix and the like were still relativly unknown research projects. I still can't trust Linux (even though I exclusively use it) to have been thoroughly checked for bugs, regardless of its open source nature.

It really is too easy to just rely on others to have programmed it "perfectly" than check it. Sad and very true.

Just think about how much spaghetti makes up X, the basic windower in 'nix. How many other projects have been extended out long after their time?

/9 and meatspace all the way, babe
 
2014-04-09 09:53:06 AM

ZAZ: It's a more subtle array bounds overrun than the usual kind, and still avoidable if you give up a few nanoseconds per packet to transform the bag of bytes into a type-checked data structure.


You sound socialist.
 
Displayed 16 of 16 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report