Elysian Shadows

http://heartbleed.com/

http://heartbleed.com/ wrote:Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft's April 2014 Web Server Survey.

66% of the Internet is affected.. that is insane.

http://www.openssl.org/news/vulnerabilities.html wrote:CVE-2014-0160: 7th April 2014
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server

Wow. For the last two years, pretty much all of our "secure" communications could have been easily intercepted by an anonymous attacker. The implications of this bug are nearly unimaginable. All of this because of a missing bounds check.

It's amazing for me to think a technology so fundamental to the Internet backbone has such a poor pre-release code review process.

Thoughts?

We spent most of the day discussing this at work yesterday. Pretty nasty, although the solution (or the only thing left to do) is workable: patch openssl, regenerate certificates and probably reset passwords for everything.

Thankfully, this doesn't affect elysianshadows.com, because it doesn't use ssl/tls (okay, that was mean, sorry =).

Also, here's the patch diff for anyone interested: http://git.openssl.org/gitweb/?p=openss ... e6e04cc802

Oh yes, and an article that actually explains what is going on, instead of throwing phrases like "read all the memory from the server" around:

http://blog.existentialize.com/diagnosi ... d-bug.html

Pretty nasty indeed. This one has been out there for quite some time also.