[personal profile] gdt

A gentle reminder that these are my opinions, not those of my employer, whomever that may be.

An OpenSSL bug means that 64KB of process memory can be read from many OpenSSL-linked applications.1 Most notably web servers, but also may types of SSL-using applications such as IMAPS, SMTP submission, and even "802.1x enterprise" wireless authentication. The contents of that 64KB are unknown, but there is a probability of it including some confidential data — the web server's private key, maybe userids and passwords, maybe credit card details.2

What is the 'optimal' response of an enemy of privacy in this situation? It is to contact as many websites as quickly as possible and to record that 64KB. A $100 hard disk will hold about 30 million 100KB chunks, so storage space isn't going to be a problem for an amateur, let alone the US National Security Agency.

What is the optimal response of a server administrator facing this threat? The first most obvious, most instantly effective measure is to stop the web server. Maybe then bring it back up missing any content which requires SSL to access.

So we should have seen a wave of website shutdowns, followed by sites coming back as software was updated, new private keys were generated, new certificates were signed by Certificate Authorities, old certificates added to revocation lists, local passwords replaced, and then the web server stopped and started.

Instead we saw the SSL-using areas of some quite famous web sites staying up. Some whilst carrying notices about the vulnerability. Most disappointing.

An aside

On various forums I've read posting by Windows and MacOS users claiming invulnerability. That's a little hasty: consider ActivePerl and MacPorts respectively. Checking those platforms for this software is often more work than actually updating a Linux machine.


1 Vulnerability of OpenSSL to the Heartbleed bugs depends upon the version of the OpenSSL source code and absence of a OPENSSL_NO_HEARTBEATS flag when compiling the source to create the OpenSSL library.

2 The probability seems to 0.0004% per attempt for a specific piece of data. That's not at all bad: the Birthday Paradox gives us good odds of finding some item of private data on some website; in any case a quarter of a million SSL connections doesn't take too long to execute.

Anonymous( )Anonymous This account has disabled anonymous posting.
OpenID( )OpenID You can comment on this post while signed in with an account from many other sites, once you have confirmed your email address. Sign in using OpenID.
User (will be screened)
Account name:
If you don't have an account you can create one now.
HTML doesn't work in the subject.


If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org

Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.


Glen Turner

August 2017

27 28293031  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated 2017-10-19 01:43
Powered by Dreamwidth Studios