Skip to main content

Heartbleed

This bug will probably be taught in Comp Sci classes in years to come and the poor student Robin Seggelmann from T-Systems International who wrote this buffer bounds beauty, earned instant infamy.

It is a terrible, terrible bug - you send a request to a supposedly secure server and it returns up to 64KB of data, which on a busy mail service like Yahoo, could contain multiple user names, passwords and keys in each and every request.

The bad thing is that the heartbeat feature was not necessary.

A thing should be as simple as possible, but no simpler.
-- A. Einstein

T-Systems violated that principle and we are all paying the price.

Keepass

Give the good IT folks a few days to fix things and then change ALL your passwords everywhere and to preserve your sanity, do install Keepass (Windows), KeepassX (Linux, Mac) or KeepassDroid (Android).

For those worried about Keepass, see this: http://www.ssi.gouv.fr/fr/produits-et-prestataires/produits-certifies-cspn/certificat_cspn_2010_07.html

Broken windows

The problem is actually not as widespread as feared.  According to Netcraft, while a good 70% of all servers use OpenSSL, about a quarter use Heartbeat, meaning that the total percentage of servers affected by Heartbleed, is under 20%, but for the next few days, you cannot trust anything.

Nevertheless, the broken windows fallacy means that some IT businesses will profit handsomely, especially the certificate vendors, at the expense of everyone else.

My site statistics graph shows that there are still many broken Windows out there too...
;)

Now that many people are starting to look critically at OpenSSL, they are bound to find many other issues.  The OpenBSD contributors already started to scratch at it.  So expect to see a slew of updates over the next few weeks as large numbers of bugs get fixed.  Thanks to the heartbeat bug, OpenSSL should end up being much more secure than it ever was.

Update: OpenBSD announced LibreSSL, their lean and mean fork of OpenSSL.
http://www.libressl.org/

Who Knew?

The big question is who knew?

In these matters the only certainty is that there is nothing certain. 
 -- Pliny the Elder

Did the NSA, GCHQ, CSE and others know about this bug for the past two years and happily collected logins and keys and does this explain why they could perform Man In The Middle attacks with such apparent ease?



Labels:

Comments

Post a Comment

On topic comments are welcome. Junk will be deleted.

Popular posts from this blog

PCB Mill

PCB Mill Kit My latest toy is a small PCB Mill, a CNC 3018 Pro, there are many available from Ali Express for the enormous sum of 285 Dirhams or so, which is about 70 Euro.  I thought that even if it didn't work at all, it would not be a big loss. Assembled CNC 3018 Kit It will help if you have a little previous workshop experience, but these machines are so simple and relatively slow moving, that any radio-geek can safely experiment. Carving With a V-bit in a Puddle of Oil Of course I can have boards made in China by Dirty PCBs , but what is the fun in that? The problem with making PCB antennas, is that you need to experiment to change the design 1 mm this way or that, to tune it just so and just such and having to wait 2 weeks for each experiment doesn't work.  A few hours playing with a router is more practical. It turned out to be a pretty nice little kit, made from aluminium and 1/4 inch Bakelite (paper reinforced phenol formaldehyde).  This Pre...
Post a Comment
Read more

Yagi Antenna for 900 MHz ISM Band

I like tinkering with wire antenna designs, since they are simple and cheap to make.  Mr Yagi invented his antenna about 100 years ago, but there are still some things left to learn about it. 900 MHz ISM Band Yagi The 900 MHz ISM band ranges from 902 to 928 MHz.  Covering the whole band with a single Yagi antenna is difficult, since they are inherently narrow band devices.  Consequently some tweaking is required and the result below is a desensitized design that can be built and replicated quite easily, but you need a network analyzer - "To Measure, is to Know!" A Yagi generally consists of a Reflector, Radiator and one or more Director elements, arranged on a boom.  For a small Yagi, a wooden ruler works a treat, since one can easily mark the position of the wires.  The wire elements are fastened to the bottom of the ruler with hot glue.  The wire elements are  made from straightened out jumbo size paper clips.  The balun, is tw...
Post a Comment
Read more

OpenEMS with Octave and SciLAB

I wanted to do some advanced RF antenna development work and needed an electromagnetic field solver that is a bit more up to date than NEC2 .  Commercial solvers from Matlab , Ansys and others are hideously expensive (in the order of $20,000 to $50,000) and do not fit in the wallet of a hobbyist or a small consulting company.  Recently, openEMS became available and it fills the niche with a capable free tool.  In general, openEMS is a solver - a Finite-Difference Time-Domain (FDTD) numerical engine.  You interact with it through Octave , which is almost identical to Matlab .  You can watch a good video by Thorsten Liebig here: https://www.youtube.com/watch?app=desktop&v=ThMLf0d5gaE   Getting it to work is a little painful, but it is free, so bear with it - then save a backup clone, or a zipped copy of the whole virtual machine directory and NEVER update it, to ensure that it keeps going and doesn't get broken by future updates, right when you are ...
Post a Comment
Read more