Consequences of OpenSSL HeartBleed
HeartBleed could become, if not already, the biggest information vulnerability in general.
For some reason, the discussion activity in the original topic is not very high, which causes me an extremely high degree of surprise.
What happened
On January 1, 2012, Robin Seggelmann submitted and steve checked the commit that HeartBeat added to OpenSSL. It was this commit that introduced the vulnerability called HeartBleed.
How dangerous is it?
This vulnerability allows you to read RAM in chunks up to 64KB in size. Moreover, the vulnerability is two-way, this means that not only can you read data from the vulnerable server, but the attacker server can also receive part of your RAM if you use the vulnerable version of OpenSSL.An attacker can connect to, say, a vulnerable Internet bank, get a private SSL key from RAM and perform a MITM attack on you, and your browser will behave as if nothing had happened, because the certificate is correct. Or just can get your username and password.
What is the scale of the tragedy?
According to my estimates, approximately ⅔ websites use OpenSSL for HTTPS connections, and approximately ⅓ of them have been vulnerable to this day.
The vulnerability was / is at least in:
- 10 banks
- 2 payment systems
- 8 VPN providers
- mail.yandex.ru
- mail.yahoo.com
Using the vulnerability, with mail.yandex.ru it was possible to receive user letters along with HTTP headers (and, substituting a cookie, log in as that user), and, for example, in AlfaBank to receive unencrypted POST data with a login and password from Alfa-Click (Internet banking).
What have I done?
I couldn’t just sit there and watch how personal data of users flow into the hands of attackers.
First of all, I wrote to some VPN providers that provide access via OpenVPN protocol, because he could be vulnerable. Then, I started looking for vulnerabilities in systems where vulnerabilities pose the greatest threat: banks, payment systems, mail / jabber servers. I called and wrote to vulnerable services. As a rule, it’s extremely difficult to get to the bank security service, and they answer only by mail.
| Service | Email Time | Call time | Vulnerability closure time | Reissued the certificate | Leaked data |
|---|---|---|---|---|---|
| mail.yandex.ru | 12:46, 13:27 (in bug bounty to get a quick answer) | 12:47 | 14:07 | Not | Mail cookie |
| Alfa Bank | 12:51 | 12:59 | 2 p.m. | Not | User logins and passwords, transactions, user personal data, cookies. Deny Vulnerability !! |
| Liqpay | 13:15 | - | 15:15 | Not | No (garbage, pieces of perl scripts) |
| Interkassa | 13:15 | 13:20 | 18:28 | Yes | Transactions, cookie |
| Raiffeisen | 13:35 | 13:30 | ~ 19: 00 | Not | N / a |
| Bank opening" | 15:36 | - | in the evening | Not | N / a |
| Bank of Moscow | - | ~ 15: 30 | ~ 17: 00, only the site was vulnerable | - | - |
| Yahoo.com | - | - | 22:20 | Yes | User logins and passwords, mail, cookie |
| IMoneyBank | - | 14:31, 20:20 | 04/09 10:55 | Yes | User logins and passwords, transactions, cookies, user personal data |
| Russian standard | 13:00 | 19:36, 09.04 10:38 | 04/09 13:00 | Not | Transactions, cookies, user personal data |
| OTP Bank | 04/09 2:20 p.m. | 04/09 2:19 p.m. | 04/09 15:03 | Not | Transactions, cookies, user personal data |
| Russlavbank | ~ 16: 00 | - | 09.04 ~ 12: 00, only the site was vulnerable | - | - |
| Bank Zenit | - | 21:50, 09.04 11:15, 04.04 15:25 | 04/09 18:20 | Not | User logins and passwords, cookie |
| Ak Bars Bank | - | - | 11.04 15:30 | Not | User logins and passwords, transactions |
What should I do as a user?
If you are using Linux , you need to upgrade to the latest available version of OpenSSL. Most distributions already contain the patched version in the repositories.
If you are on OSX , you are most likely to use OpenSSL 0.9.8, which is not vulnerable if you did not install the newer version manually.
If you use Windows , then most likely you do not have OpenSSL. If you installed it manually (for example, through cygwin), then make sure that your version does not contain a vulnerability.
After you update OpenSSL, restart all applications that use it!
Keep in mind - there is a rather big chance that other people already have your passwords . Change them, but not now.Do not go to vulnerable sites now. You can check the site for vulnerability using the links below.
What should I do as a site owner / system administrator?
First of all, you should immediately make sure your version of OpenSSL is vulnerable or not. There are three services for HTTPS: filippo.io/Heartbleed , possible.lv/tools/hb and www.ssllabs.com/ssltest . Update version if necessary. Make sure that you install the version with the patch, or 1.0.1.g.
If you had a vulnerable version of OpenSSL, you should revoke the old SSL certificate - it is likely to be compromised. If you had a vulnerability in the service, be sure to notify users to change passwords, and reset sessions if you use them (PHPSESSID, JSESSID)
And I want the details!
You can read the vulnerability analysis here , get more information here and here .
629 sites from the top 10,000 are vulnerable .
News on cnet.com.
Article on banki.ru
Bonus: conversation between the blind and the deaf , Mikhail