OpenSSL and Heartbleed
A. Santa Clause
B. The Tooth Fairy
And, the correct answer is C, with a qualification. The recently discovered Heartbleed bug in OpenSSL has been repaired. Now, all you have to do is recreate all the certificates and keys you created with it and reinstall them into servers that use OpenSSL cryptographic libraries after they have been updated. This probably includes all routers with an embedded OpenVPN server as well as any NAS device with one. Apache servers have been reported with OpenSSL vulnerabilities. So has my former platform from my IT consulting days, the AS/400. So have some individual programs, such as WinSCP. Some major vendors of commercial routers also have OpenSSL issues to repair.
Say it isn’t so. First PPTP, an extremely easy to implement VPN, was compromised. Now OpenSSL has problems. If anything, this elevates the word probably to a higher level of stature, credibility, and necessity of use.
How the Heartbleed Exploit Works
I could research the technical details about this particular buffer overflow exploit and report what I probably understood, but the average user couldn’t relate to it in their daily life, I would undoubtedly miss some details only a true geek would notice and/or love, and all you would end up with were empty calories even if I got everything right. In the past week, I’ve already made a couple of statements about Heartbleed that turned out to be incomplete.
The National Vulnerability Database documents Heartbleed and provides Federal information intended for the dedicated bug hunter. The Department of Homeland Security maintains the database. Github brings the detail to the programmer level. The Hacker News adds technical depth.
Basically, a skilled hacker can cause a 64k sized buffer to overflow from an SSL server that uses OpenSSL libraries and return to the hacker whatever is in the buffer at that moment, all unencrypted. The buffer may hold passwords or pasta recipes. It’s returned and generally displayed in hexidecimal, which is easily converted to recognizable verbiage, but the buffers holds a lot of almost random-looking data. A dedicated or lucky hacker is said to be capable of getting the goods on some users if they work hard enough and examine enough 64k buffers full of information. It’s unclear to me how a hacker would initiate such an attack and I don’t have the programming skills to write an exploit myself.
Remember, this is only for servers that use OpenSSL libraries. Microsoft uses Active Directory Certificate Services and is most probably not affected. A corrupt application that later accesses a Windows Network would put downstream Windows Servers at risk.
OpenSSL is open source software. This means it is free and usually of high quality (generally speaking) because popular open source software is accessible at the source level to anyone who wants to see it. That’s how they found the Heartbleed bug. Some curious soul noticed an anomaly and tracked it down.
Since open source software is free, a lot of people use it. The Heartbleed bug won’t diminish the overall use of open source software, nor will it diminish the overall use of OpenSSL. Large companies that have standardized on OpenSSL will probably pay closer attention to all critical applications that use open source software and possibly donate funds to the open source applications their employees and customers rely on. Even after making a donation, open source software is the lowest cost option for many competent applications.
This article lists many popular websites and states whether or not they were vulnerable. By vulnerable, it means you should consider changing your password there.
Recently Added Disclaimer
Earlier this month (4-9-2014), I added an update to a few pages warning of the Heartbleed bug. I updated them again (4-12-2014) when I realized I forgot to include a couple of essential details about servers. After publishing this article, I will replace the updates with a link here.
Many articles in Advanced Home Server use OpenSSL to illustrate the creation of certificates and keys. To be honest, I originally thought it was only an issue about keys and certificates created with OpenSSL having some flaw that nullified the benefits of SSL in general.
After reading a few more stories on the internet, I came to the conclusion that OpenSSL is capable of being used on both sides of the message. As described, you generate keys and certificates for personal use. Apparently, OpenSSL also provides libraries that can be used on servers that employ SSL for basic internet encryption. This latter function is separate and distinct from certificate and key creation. I really didn’t know that, but probably should have. Live and learn.
Until a few minutes ago, I wasn’t sure if the biggest problem was an issue with embedded software that uses OpenSSL to create default certificates that many use to simplify secure SSL communication. No, that’s not it. Programmers use OpenSSL at the back end of secure server development to support advanced cryptography. This site from ibm.com describes OpenSSL as a function library of cryptographic and SSL functions. By implication, the Heartbleed problems are at the server level and the certificate you generated with OpenSSL is a secondary concern. The link above from the Hacker News confirmed this observation.
This means that all servers and programs using OpenSSL libraries need to be fixed. After this repair, all SSL certificates and keys need to be re-created and installed because some goof might have been slick enough to get a look at them.
Some of these servers reside somewhere other than where you currently are and your job will be to 1) find out if they use OpenSSL libraries for any cryptographic functions, 2) if so, find out if and when they are fixed, then 3) change your passwords on those sites and update any SSL certificates you may have installed there with newly created ones from your certificate vendor.
Some of the affected servers are possibly a couple of feet away from you as you read this. OpenVPN software is compromised. DD-WRT includes an OpenVPN server and other applications that rely on OpenSSL libraries. Padavan’s Asus router replacement firmware includes an OpenVPN server. (I’m currently using my old Asus RT-N56U router with Padavan’s firmware so it can work as a 5GHhz client bridge for media. The Netgear WNDR3400 v1 with DD-WRT has been retired. A Netgear R6300 V1 refurb with DD-WRT is now the main household router.) Many full-featured NAS devices include embedded applications that depend on OpenSSL libraries.
How Bad Is It Really? The Elevation of the Word Probably
How bad is it really? You should be concerned, but don’t worry. You will probably be completely unaffected, but should still research your vulnerabilities and repair them.
Seriously, I really don’t know. Anyone is capable of stealing anything at any time, or at least trying to, especially if they believe they can get away with it. Your average slacker;
- Would probably be more interested in stealing a credit card number since it takes less effort and you don’t need to be a Braniac to figure out how to do it.
- Would not have the extreme patience to probably associate random pieces of information into something coherent.
- May decide that all this effort and skill is probably not well spent when he could buy some stolen credit card numbers in bulk off the dark internet much easier.
The Heartbleed bug means another icon has fallen. SSL is no longer infallible. You just can’t believe in anything any more. Another ‘fact’ is now an item of faith. It probably works as described, but maybe not. It’s the newest metaphor for daily life. Add it to the list …
- I’m from the Government and I’m here to help;
- Wall Street is more interested in helping you make money than in collecting fees from you for their help, whether you make money or not;
- When Central Banks print massive amounts of money and asset prices rise as a result, they’re creating permanent value as opposed to temporary asset bubbles based on currency debasement and ginormous, newly created cash flows (Yes, not related to home servers, but remember, I am a CPA with a degree in economics. Computers are only a hobby.);
- Media reporters and outlets are more interested in getting the full story to you than in supporting their advertisers and/or retaining their access to sources.
OpenSSL version 1.01g and above, including 1.02, are said to be repaired. This should be used to re-create your certificates and keys after your servers are safe. If you’re using safe servers with existing OpenSSL certificates, you’re probably OK without making changes, but, think about it anyway.
After you press the Enter button, you have no idea how most of the sites you visit are configured. Changing passwords for important sites is probably a good idea.
OpenVPN is said to have repaired their client and server software. However, if the OpenVPN server is embedded in a router, server, or NAS device, you will have to wait for a fix to be made available via a firmware upgrade.
My QNAP TS-120 was updated today (4-17-2014). DD-WRT has a fixed version available, as does Padavan’s Asus router replacement firmware. Both routers have been updated here.
Google has provided useful updates about what’s fixed and what isn’t. You just have to hunt down what you need to know.