[nSLUG] Nasty zero day vulnerability in openssl CVE-2014-0160

Julien Savoie julien.savoie at usainteanne.ca
Fri Apr 11 11:51:56 ADT 2014


I'm using regular HTTP to take credit card orders on my site, so this
big SSL bug doesn't affect me, right?

On 11/04/14 07:31 AM, George N. White III wrote:
> The early reports indicated the bug only affected html servers using
> https,
I really hope no one actually said that, because that's stupid.  The
vulnerability is within the TLS extension heartbeat (RFC 6520), not
http.  I've had success against my own dovecot imap server.

> but now we know that clients can leak memory, including wget, curl,
> links, and git
> <https://isc.sans.edu/forums/diary./The+Other+Side+of+Heartbleed+-+Client+Vulnerabilities/17945>.
Every first I've ever been happy something in Debian was linked against
GnuTLS.

>   The heartbleed.com <http://heartbleed.com> site now says:
> "You might have networked appliances with logins secured by this buggy
> implementation of the TLS. Furthermore you might have client side
> software on your computer that could expose the data from your
> computer if you connect to compromised services."
VMWare 5.5 (at the time of writing) remains vulnerable and unpatched;
http://www.vmware.com/security/advisories

As for vulnerable clients, yes the heartbeat goes in both directions. 
Fortunately most people aren't using a browser linked against openssl.
https://tools.ietf.org/html/rfc6520#page-6

On 11/04/14 02:50 AM, Mike Spencer wrote:
> If I were contemplating the overthrow of a sovereign state, the purchase
> of nuclear weapons or just trying to disappear, I suppose I'd try to
> use PGP or GPG combined with steg and some way to defeat traffic
> analysis.
And I might use PGP/OTR to ask someone to meet me for coffee.  I'm not
sure it's wise, as a society, to only demand privacy when we're doing
something illicit.




More information about the nSLUG mailing list