Author Topic: Heartbleed (Read 2738 times)

mpiva · « **on:** April 10, 2014, 12:33:29 AM »

I've just been reading up on the Heartbleed security flaw in OpenSSL. Pretty scary stuff. I was wondering if Amigoid OS's are vulnerable to this flaw?

http://www.heavy.com/tech/2014/04/heartbleed-security-flaw/

Matt_H · « **Reply #1 on:** April 10, 2014, 01:08:28 AM »

I'd say there's a good chance we're vulnerable. On the other hand, our versions of OpenSSL are rather old and might pre-date the introduction of the bug.

I heard on the radio this morning that a Finnish web security firm was instrumental in discovering this. I wonder if our man Piru played a role

Duce · « **Reply #2 on:** April 10, 2014, 01:53:17 AM »

This weeks Security Now podcast was all about Heartbleed - a must watch for anyone interested in security as a whole or Heartbleed specifically.

http://twit.tv/show/security-now/450

Hans_ · « **Reply #3 on:** April 10, 2014, 02:28:40 AM »

Quote from: mpiva;762267

I've just been reading up on the Heartbleed security flaw in OpenSSL. Pretty scary stuff. I was wondering if Amigoid OS's are vulnerable to this flaw?

http://www.heavy.com/tech/2014/04/heartbleed-security-flaw/

My understanding is that this is a flaw on the server side. How many people are running a web server with OpenSSL on their AmigaOS/Amiga-compatible-OS let alone with a version of OpenSSL with that bug?

Hans

Geit · « **Reply #4 on:** April 10, 2014, 11:42:13 AM »

It depends on the version of OpenSSL and yes ANY device may be in danger.

And no. It is not only a server side problem. If OWB is using the broken SSL port, which is possible with the OS4 Port of V1.23, and accessing a compromised server, the server can read out 64KB of memory on your computer, which for sure contains plain keys. MorphOS OSB V1.23 at least is safe. You need to ask Kas1e what version is used in his port.

Even if it is a known site with already got updated, you do not know if it was compromised before and still spys on you.

Same for any application using SSL. Check the versions used.

You need to update or any kind of server (mail, https, ...) may spy on you.

Geit

slaapliedje · « **Reply #5 on:** April 10, 2014, 02:20:25 PM »

The versions in question that are vulnerable are versions 1.0.0 - 1.0.1f (they fixed it in 1.0.1g). So if you're running Debian Squeeze, or something older that is using 0.9.8* then you're safe from heartbleed.

I am running something newer, and have already patched my stuff, fortunately I only had a few servers that needed it. Reissuing SSL keys is annoying as well, but I did that.

slaapliedje

Duce · « **Reply #6 on:** April 10, 2014, 02:53:25 PM »

As Slaap said, it's very important that the general end user understands where the issue with Heartbleed lies.

It is solely dependent on having the "broken" versions of OpenSSL installed and operational on server side. You're not going to find an OS patch to fix this on your respective user grade operating systems, the problem lies with what version of OpenSSL any respective server uses.

I'd hope that a good number of hosts have been patched by now, but I know better than to assume it

slaapliedje · « **Reply #7 on:** April 10, 2014, 02:57:41 PM »

It also has to do with whether or not the service in question uses a heartbeat. So things like Apache are vulnerable, but OpenSSH is not. At least from what I've been reading. So yeah, clients wouldn't really be affected. I wouldn't be 100% sure about that, but I can be fairly certain that OpenSSL for the Amiga shouldn't be affected, I don't think it's been updated in quite some time.

slaapliedje

Geit · « **Reply #8 on:** April 10, 2014, 06:03:44 PM »

As I said earlier: Clients can indeed be vulnerable.

Major browsers are not (ie, chrome, ff, safari, opera), but Curl, Links and some other client software may be the only reason this isn't a major disaster clientwise is due to the browsers already being secure.

The "heartbeat" protocol works both ways. Both client and server can initiate the heartbeat, so evil server could read clients memory if the client is vulnerable. Of course you need to get the client to visit your site

(Piru via IRC)

mpiva · « **Reply #9 on:** April 10, 2014, 11:18:49 PM »

Just noticed this on OS4Depot today:

libopenssl.lha dev/lib/mis 1.0.1g 10Mb 10 Apr 14 4.0 8 ¤ Libopenssl - The Open Source toolkit for SSL/TLS

2014-04-10 - Updated to 1.0.1g.

gertsy · « **Reply #10 on:** April 11, 2014, 07:08:12 AM »

Quote from: mpiva;762317

Just noticed this on OS4Depot today:

libopenssl.lha dev/lib/mis 1.0.1g 10Mb 10 Apr 14 4.0 8 ¤ Libopenssl - The Open Source toolkit for SSL/TLS

2014-04-10 - Updated to 1.0.1g.

Doh. And the security experts say you should be on the latest versions..... It they were behind the times they would have been safe.
Don't let Commodore John get wind of this...

Duce · « **Reply #11 on:** April 11, 2014, 09:03:01 AM »

Don't worry, John still does all his internet communications via tin cans connected with strings and smoke signals

Just giving you a hard time, John

Author Topic: Heartbleed (Read 2738 times)

mpiva

Heartbleed

Matt_H

Re: Heartbleed

Duce

Re: Heartbleed

Hans_

Re: Heartbleed

Geit

Re: Heartbleed

slaapliedje

Re: Heartbleed

Duce

Re: Heartbleed

slaapliedje

Re: Heartbleed

Geit

Re: Heartbleed

mpiva

Re: Heartbleed

gertsy

Re: Heartbleed

Duce

Re: Heartbleed