Tag Archives: SSL

What You Need to Know About the Heartbleed Bug

Apr 14, 2014 by Matt | Posted in Hosting 62 Comments

Heartbleed LogoIf you haven’t already heard, a major exploit in OpenSSL was discovered recently. The Heartbleed Bug, which is as scary as it sounds, allows an attacker to capture potentially sensitive information from a server’s memory by exploiting a flaw in the implementation of the heartbeat function of OpenSSL’s SSL/TLS implementation.

How it Works

SSL/TLS, the encryption protocol commonly used for securing traffic between web browsers and servers, has a feature called a “heartbeat.” Every now and then, an exchange like this happens between the client and the server:

Client: You still there? If so, send back “ALIVE,” which is five characters.

Server: ALIVE

If the heartbeat succeeds, the connection stays open. This keeps happening, over and over, with a different value being passed each time.

Now here’s what happens if someone exploits the Heartbleed bug:

Client: You still there? If so, send back “KITTEN,” which is 300 characters.

Server: KITTEN, and here’s a block of random memory from RAM!

In this manner, an attacker can get a random 64KB chunk of data from memory every time a heartbeat is sent, thanks to a lack of validation of the length parameter. (So an attacker can just repeatedly make attempts.) Eventually, they’d get lucky and find something interesting. Such as the SSL certificate or users’ passwords and data.

Exploiting this bug is trivial. (There were people posting scripts to test for the vulnerability minutes after it was announced. Just imagine how quickly malicious types got to work implementing exploits for the bug!) It’s also possible that someone knew about it months or even a couple years ago, and has been exploiting it ever since. Bloomberg even suggests that the NSA has known about it for two years, and has been exploiting it rather than disclosing the problem.

Is it Fixed?

Yes! Your Linux distro should already have patched builds in their package manager, so it’s just a simple manner of running a couple of commands to update your openssl and libssl1.0.0 packages, then restarting any services that depend on SSL. (Or just do a full reboot if you’re paranoid.) In the case of Ubuntu, you’d just do something like this to update the packages:

sudo apt-get update
sudo apt-get dist-upgrade

You should now revoke any SSL certificates and issue new ones, in case they were leaked in an exploit of the bug.

What Should I Do, as a User?

Change your passwords! For anything important—email, banking, etc.—you should consider picking a new password.

Are Unicode Domains Really a Security Risk?

Jan 11, 2010 by Matt | Posted in Domains No Comments

I recently read an interesting piece from Mashable that suggested that ICANN allowing non-Latin (Unicode) domain names is a security risk. The problem is that Unicode characters can be rendered in browsers as Latin characters, which opens a new window of opportunity for phishers.

If the domain, created using Cyrillic scripts “raural.com” was registered, the way that Unicode-browsers will actually render that domain in latin is as “paypal.com.” In theory, phishers could pass around that link and set up a fake version of the PayPal site to harvest logins and credit card data.

It is impossible to tell the difference visually. It’s pretty scary. At least, I thought it was until I realized two things:

  1. You shouldn’t click links in emails claiming to be from PayPal or your bank anyway. Just don’t. Type the address in manually.
  2. Websites dealing with money, or other things that require a higher level of security, generally have an SSL certificate signed by a reputable third party.

So if you don’t click links in emails, and make sure that the SSL certificate checks-out, you’ll be safe.

It’s not that big a deal for those of us who have a good general knowledge of computer security, but it still is worrying that phishers are gaining this tool. I’m sure you know plenty of people who could easily fall into this kind of trap.