A gentle reminder that these are my opinions, not those of my employer, whomever that may be.

An OpenSSL bug means that 64KB of process memory can be read from many OpenSSL-linked applications.1 Most notably web servers, but also may types of SSL-using applications such as IMAPS, SMTP submission, and even "802.1x enterprise" wireless authentication. The contents of that 64KB are unknown, but there is a probability of it including some confidential data — the web server's private key, maybe userids and passwords, maybe credit card details.2

What is the 'optimal' response of an enemy of privacy in this situation? It is to contact as many websites as quickly as possible and to record that 64KB. A $100 hard disk will hold about 30 million 100KB chunks, so storage space isn't going to be a problem for an amateur, let alone the US National Security Agency.

What is the optimal response of a server administrator facing this threat? The first most obvious, most instantly effective measure is to stop the web server. Maybe then bring it back up missing any content which requires SSL to access.

So we should have seen a wave of website shutdowns, followed by sites coming back as software was updated, new private keys were generated, new certificates were signed by Certificate Authorities, old certificates added to revocation lists, local passwords replaced, and then the web server stopped and started.

Instead we saw the SSL-using areas of some quite famous web sites staying up. Some whilst carrying notices about the vulnerability. Most disappointing.

An aside

On various forums I've read posting by Windows and MacOS users claiming invulnerability. That's a little hasty: consider ActivePerl and MacPorts respectively. Checking those platforms for this software is often more work than actually updating a Linux machine.


1 Vulnerability of OpenSSL to the Heartbleed bugs depends upon the version of the OpenSSL source code and absence of a OPENSSL_NO_HEARTBEATS flag when compiling the source to create the OpenSSL library.

2 The probability seems to 0.0004% per attempt for a specific piece of data. That's not at all bad: the Birthday Paradox gives us good odds of finding some item of private data on some website; in any case a quarter of a million SSL connections doesn't take too long to execute.


Glen Turner

April 2017


Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated 2017-06-24 00:05
Powered by Dreamwidth Studios