Amiga.org

Amiga computer related discussion => General chat about Amiga topics => Topic started by: mpiva on April 10, 2014, 12:33:29 AM

Title: Heartbleed
Post by: mpiva on April 10, 2014, 12:33:29 AM

I've just been reading up on the Heartbleed security flaw in OpenSSL. Pretty scary stuff. I was wondering if Amigoid OS's are vulnerable to this flaw?

http://www.heavy.com/tech/2014/04/heartbleed-security-flaw/ (http:// http://www.heavy.com/tech/2014/04/heartbleed-security-flaw/)

Title: Re: Heartbleed
Post by: Matt_H on April 10, 2014, 01:08:28 AM

I'd say there's a good chance we're vulnerable. On the other hand, our versions of OpenSSL are rather old and might pre-date the introduction of the bug.

I heard on the radio this morning that a Finnish web security firm was instrumental in discovering this. I wonder if our man Piru played a role :)

Title: Re: Heartbleed
Post by: Duce on April 10, 2014, 01:53:17 AM

This weeks Security Now podcast was all about Heartbleed - a must watch for anyone interested in security as a whole or Heartbleed specifically.

http://twit.tv/show/security-now/450

Title: Re: Heartbleed
Post by: Hans_ on April 10, 2014, 02:28:40 AM

Quote from: mpiva;762267

I've just been reading up on the Heartbleed security flaw in OpenSSL. Pretty scary stuff. I was wondering if Amigoid OS's are vulnerable to this flaw?

http://www.heavy.com/tech/2014/04/heartbleed-security-flaw/ (http:// http://www.heavy.com/tech/2014/04/heartbleed-security-flaw/)

My understanding is that this is a flaw on the server side. How many people are running a web server with OpenSSL on their AmigaOS/Amiga-compatible-OS let alone with a version of OpenSSL with that bug?

Hans

Title: Re: Heartbleed
Post by: Geit on April 10, 2014, 11:42:13 AM

It depends on the version of OpenSSL and yes ANY device may be in danger.

And no. It is not only a server side problem. If OWB is using the broken SSL port, which is possible with the OS4 Port of V1.23, and accessing a compromised server, the server can read out 64KB of memory on your computer, which for sure contains plain keys. MorphOS OSB V1.23 at least is safe. You need to ask Kas1e what version is used in his port.

Even if it is a known site with already got updated, you do not know if it was compromised before and still spys on you.

Same for any application using SSL. Check the versions used.

You need to update or any kind of server (mail, https, ...) may spy on you.

 Geit

Title: Re: Heartbleed
Post by: slaapliedje on April 10, 2014, 02:20:25 PM

The versions in question that are vulnerable are versions 1.0.0 - 1.0.1f (they fixed it in 1.0.1g).  So if you're running Debian Squeeze, or something older that is using 0.9.8* then you're safe from heartbleed.  

I am running something newer, and have already patched my stuff, fortunately I only had a few servers that needed it.  Reissuing SSL keys is annoying as well, but I did that.

slaapliedje

Title: Re: Heartbleed
Post by: Duce on April 10, 2014, 02:53:25 PM

As Slaap said, it's very important that the general end user understands where the issue with Heartbleed lies.

It is solely dependent on having the "broken" versions of OpenSSL installed and operational on server side.  You're not going to find an OS patch to fix this on your respective user grade operating systems, the problem lies with what version of OpenSSL any respective server uses.

I'd hope that a good number of hosts have been patched by now, but I know better than to assume it :)

Title: Re: Heartbleed
Post by: slaapliedje on April 10, 2014, 02:57:41 PM

It also has to do with whether or not the service in question uses a heartbeat.  So things like Apache are vulnerable, but OpenSSH is not.  At least from what I've been reading.  So yeah, clients wouldn't really be affected.  I wouldn't be 100% sure about that, but I can be fairly certain that OpenSSL for the Amiga shouldn't be affected, I don't think it's been updated in quite some time.

slaapliedje

Title: Re: Heartbleed
Post by: Geit on April 10, 2014, 06:03:44 PM

As I said earlier: Clients can indeed be vulnerable.

Major browsers are not (ie, chrome, ff, safari, opera), but Curl, Links and some other client software may be the only reason this isn't a major disaster clientwise is due to the browsers already being secure.

The "heartbeat" protocol works both ways. Both client and server can initiate the heartbeat, so evil server could read clients memory if the client is vulnerable. Of course you need to get the client to visit your site

(Piru via IRC)

Title: Re: Heartbleed
Post by: mpiva on April 10, 2014, 11:18:49 PM

Just noticed this on OS4Depot today:


libopenssl.lha (http://www.os4depot.net/?function=showfile&file=development/library/misc/libopenssl.lha)   dev/lib/mis   1.0.1g   10Mb   10 Apr 14   4.0   8   ¤ Libopenssl - The Open Source toolkit for SSL/TLS

2014-04-10 - Updated to 1.0.1g.

Title: Re: Heartbleed
Post by: gertsy on April 11, 2014, 07:08:12 AM

Quote from: mpiva;762317

Just noticed this on OS4Depot today:


libopenssl.lha (http://www.os4depot.net/?function=showfile&file=development/library/misc/libopenssl.lha)   dev/lib/mis   1.0.1g   10Mb   10 Apr 14   4.0   8   ¤ Libopenssl - The Open Source toolkit for SSL/TLS

2014-04-10 - Updated to 1.0.1g.

Doh.  And the security experts say you should be on the latest versions..... It they were behind the times they would have been safe.
Don't let Commodore John get wind of this...;)

Title: Re: Heartbleed
Post by: Duce on April 11, 2014, 09:03:01 AM

Don't worry, John still does all his internet communications via tin cans connected with strings and smoke signals  :)

Just giving you a hard time, John :)