Results 1 to 4 of 4
  1. #1
    Community Contributor
    Join Date
    Nov 2011
    Posts
    2,953

    Heartbleed Stuff (Off Topic)

    Maybe off topic, but slightly curious about the 'heartbleed bug' affecting OpenSSL, Apache, and Nginx (as is most applicable in this instance). I assume a software update on the server, certificate revocation, and a new certificate is in order or already accomplished.

  2. #2
    Who?
    Join Date
    Sep 2009
    Location
    Stockholm, Sweden
    Posts
    2,799
    Quote Originally Posted by ty_ger07 View Post
    Maybe off topic, but slightly curious about the 'heartbleed bug' affecting OpenSSL, Apache, and Nginx (as is most applicable in this instance). I assume a software update on the server, certificate revocation, and a new certificate is in order or already accomplished.
    The mongo database backing the UI was affected and has been patched. The reseller account on the phogue.net site was affected and has been patched. Nothing else to my knowledge is exploitable.

    The certificate on myrcon.com is fine, but will probably be reissued next weekend anyway when we buy additional subdomains for it. If it wasn't fine then I may have nagged to move that up to today.
    I started at DICE late Oct. 2014, so ignore every post before that.

  3. #3
    Community Contributor
    Join Date
    Nov 2011
    Posts
    2,953
    Previous comments seemed to indicate that myrcon.com was running on nginx.

    Based on your above comment, is it correct to assume that myrcon.com is already on OpenSSL version 1.0.1g? The certificate needs to be revoked and a new certificate issued in case there are keys in the wild from a leak which may have occured before the software update.

    What is leaked primary key material and how to recover?
    These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.
    http://heartbleed.com
    Last edited by ty_ger07; 12-04-2014 at 15:04.

  4. #4
    Phogues Rubber Duck
    Join Date
    Dec 2010
    Posts
    1,030
    myrcon.com is sat behind cloudflare, who patched heartbleed about 2 weeks ago, before it was publicly announced.

    You're protected from the Heartbleed vulnerability because you have CloudFlare turned on for your website. We fixed the flaw on March 31 for all CloudFlare customers, a week before it was publicly announced.

    Heartbleed (CVE-2014-0160, http://www.openssl.org/) is a flaw in OpenSSL, encryption software used by the vast majority of websites to protect sensitive information. This vulnerability in OpenSSL allows an attacker to reveal up to 64KB of memory to a connected client or server. This flaw could expose sensitive data such as passwords or usernames - even when you thought it was encrypted.

    NO IMPACT ON CLOUDFLARE SERVICE. Our team has conducted a comprehensive security review to ensure our customers were not impacted. One concern is that an attacker had access to the exploit before March 31 since the flaw was present since December 2011. We've seen no evidence of this, but we're proceeding as if it is a possibility.

    PRIVATE KEY DATA. Our security and cryptographic team has been testing the possibility that private SSL key data may have been retrieved. We have been unable to replicate a situation where private SSL key data would leak. We have set up a challenge to see if others can exploit the bug. See more information on our blog:

    http://blog.cloudflare.com/answering...ing-heartbleed
    Granted, the keys COULD have been leaked before then, but its very unlikely, and like Geoff said, its likely we will need to reissue them next weekend anyway.

    Note: I have no idea if we were vulnerable before that anyway, it all makes no sense to me anyway.
    Last edited by Ike; 12-04-2014 at 15:16.

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •