Linked by Thom Holwerda on Tue 8th Apr 2014 22:06 UTC
Privacy, Security, Encryption

Heartbleed, a long-undiscovered bug in cryptographic software called OpenSSL that secures Web communications, may have left roughly two-thirds of the Web vulnerable to eavesdropping for the past two years. Heartbleed isn't your garden-variety vulnerability, so here's a quick guide to what it is, why it's so serious, and what you can do to keep your data safe.


Thread beginning with comment 586942
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:

BallmerKnowsBest read your own link. It details a flaw that does not come from protocol alone.

Try following some of the links from that page, which would quickly lead you to this:

This workaround provides system administrators a way to help protect all clients that connect to a server from exploitation by using the vulnerability described in security advisory 977377. The workaround achieves this by disabling TLS/SSL renegotiation. This is the component of the TLS/SSL protocol that is vulnerable to this issue.

(emphasis: mine)

Or you could read the 2nd link I posted, which detailed how vulnerability to the TLS renegotiation issue was by no means limited to Microsoft's software.

So yes, the UNDERLYING flaw came from flaws in the protocol itself - the problems with Microsoft's implementation made the problem worse, but they obviously weren't the sole/primary cause of the problem.

MS10-049 is in fact for means to collect data worse than the current OpenSSL flaw.

Yeahhhhhhh... [citation needed]. I'm guessing you missed this minor detail in the MS10-049 summary:

In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that takes users to the attacker's Web site.

As opposed to the current OpenSSL flaw, where your login credentials can be exposed simply by signing in to a vulnerable server.

And was there any evidence that the SChannel flaw was ever actually exploited "in the wild"? Because I've already seen some fairly dramatic demonstrations of Heartbleed - E.g. comments in an ArsTechnica thread from someone who was able to retrieve another user's credentials and then login & comment from their account:
(the linked comment and the one directly after it are the relevant ones)

Current openssl flaw you get random blocks of data not exact data requests.

Oh, well I'm sure that be an immense comfort to any people whose online accounts are compromised because of this flaw...

Luckily there are not many MS Windows servers on the internet.

Hahahaha, yeah, only about... say, a third of all public-facing servers on the internet. Oh, and remind me: what was the estimate as to number of the servers on the internet that were vulnerable to Heartbleed? Something like two-thirds, wasn't it...?

To the extent that I can glean a point from your post, it seems like an attempt to deflect criticisms that no one has actually made. Before it, I haven't seen anyone try to ascribe the problem to the open source model as a whole (or anyone other than the OpenSSL developers directly responsible for it). Nor did I realize that the number & severity of SSL implementation flaws was the subject of a contest between open source and Microsoft/closed source.

If the shoe were on the other foot, I have no doubt that the usual FLOSS ideologues would immediately pounce on it as "proof" of the inferiority of Microsoft's software - if not the closed-source development model as a whole. Yet you usually don't see people making the same lazy conclusions in reverse, no matter how many times a lax approach to security in open source software development enables things like Darkleech or Heartbleed... not to mention the constant stream of recent problems caused by beginner-level security failures in open source web applications like WordPress, Joomla, Drupal, or Mailman (AKA "the backscatter spammer's best friend").

BUT, since you brought it up: if you really want to keep score, then it's pretty clear that Heartbleed has vaulted open source into the "lead" as far as SSL-related security failures go. As you alluded to earlier, Linux is more widely-used as a server OS - and now Linux & the open source community at large are starting to experience the inevitable downsides of population density/network effects (WRT security & malware) that Windows has been subjected to on the desktop for years.

Reply Parent Score: 3

oiaohm Member since:

BallmerKnowsBest if you download metasploit you will find a demo of reverse back to webserver using MS10-049.

With MS10-049 we were lucky. Heartbleed not lucky. This is the thing with these flaws some we are lucky some we are not.

Interesting enough lots of Windows servers are behind Linux load balancers and filters. Some sites using Windows were got by Heartbleed because their Linux Balancer got hit yet those same Linux load balancers blocked other attacks. Why the load balancer is doing the ssl decode. Its way less than 1/3 of servers on the Internet that have Windows servers with internet facing ssl. You are looking at basically 90 percent Linux when you look at what is decoding ssl. and MS10-049 are two exploits. The fix for MS10-049 also contains the fix for 977377.

Over all SSL falures have been broad spread.

There have been security failures in closed source frameworks to use instead of open source solutions like WordPress, Joomla, Drupal, or Mailman.

Over all its simpler to get executable code into a Windows server to alter its function.

There are constant stream of bugs in closed and open source. Yes beginner level bugs are turning up in Microsoft products as well. I can pull in other.

Even this recent openssl bug on Linux still was not remote run what ever you like.

population density/network effects makes a weakness worse. But if Linux was having the same flaws as windows a lot we would be looking at disasters that make the recent openssl flaw look minor.

Reply Parent Score: 2